Trust Assessment
endurance-coach received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 8 findings: 0 critical, 4 high, 4 medium, and 0 low severity. Key findings include Direct Shell Command Execution (ls), Execution of Unspecified CLI Commands (auth, sync), Execution of External Assessment Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 12/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via User-Controlled Input (`activity <id>`) The skill instructs the LLM to run `activity <id> --laps`, where `<id>` is user-controlled. If the `activity` command does not properly sanitize the `<id>` input, an attacker could inject arbitrary shell commands, leading to remote code execution. Implement strict input validation and sanitization for all user-controlled arguments passed to shell commands. Ideally, replace direct shell execution with a dedicated, sandboxed tool function that handles the `activity` logic and input parsing securely. | LLM | SKILL.md:30 | |
| HIGH | Potential SQL Injection via Ad-Hoc Query Command The skill mentions reserving `query` for 'advanced, ad-hoc SQL only'. This implies a command that can execute arbitrary SQL queries. If this `query` command takes user-provided input directly into the SQL statement without proper sanitization, it is highly vulnerable to SQL injection, allowing data exfiltration, modification, or even command execution depending on the database configuration. Never allow direct execution of ad-hoc SQL queries based on user input. Provide specific, parameterized database access functions or a secure ORM. If ad-hoc queries are absolutely necessary, ensure robust input sanitization and restrict database user permissions to the absolute minimum required. | LLM | SKILL.md:32 | |
| HIGH | Instruction to Gather Credentials The skill instructs the LLM to 'gather credentials if needed' for Strava. This is a direct instruction for credential harvesting. The LLM might prompt the user for sensitive information (e.g., username/password, API keys) and there's no explicit instruction on how to handle or store these securely, increasing the risk of exposure or misuse. Avoid instructing the LLM to directly 'gather credentials'. Instead, integrate with secure authentication flows (e.g., OAuth 2.0) where the LLM only receives tokens, not raw credentials. If API keys are required, use a secure secrets management system. | LLM | SKILL.md:69 | |
| HIGH | Dynamic Execution of External Packages via `npx` The skill explicitly instructs the LLM to execute `npx -y endurance-coach@latest render` and `npx -y endurance-coach@latest schema`. `npx` downloads and executes packages from npm. Using `@latest` means the version is unpinned, introducing a supply chain risk where a compromised or malicious version of `endurance-coach` could be downloaded and executed. This also represents a direct command injection vector. Avoid dynamic execution of unpinned external packages. If external tools are necessary, they should be pre-installed in a controlled environment and executed via a sandboxed API. If `npx` must be used, pin to a specific, trusted version (e.g., `endurance-coach@1.2.3`) and consider using a private registry or auditing tools. | LLM | SKILL.md:130 | |
| MEDIUM | Direct Shell Command Execution (ls) The skill explicitly instructs the LLM to execute a shell command (`ls`) to check for a database file. While `ls` itself is low risk, this demonstrates a pattern of direct shell command execution, which could be exploited if the path were user-controlled or if other, more dangerous commands were instructed. Avoid direct shell command execution. If file system checks are necessary, use a sandboxed API or a dedicated tool function that does not expose the underlying shell. | LLM | SKILL.md:17 | |
| MEDIUM | Execution of Unspecified CLI Commands (auth, sync) The skill instructs the LLM to use CLI commands `auth` and `sync`. The implementation details and security implications of these commands are not specified, posing a risk if they are vulnerable to injection or perform sensitive operations without proper safeguards. Replace direct CLI command execution with dedicated, sandboxed tool functions. Ensure any underlying commands are thoroughly vetted for security vulnerabilities and input sanitization. | LLM | SKILL.md:21 | |
| MEDIUM | Execution of External Assessment Commands The skill instructs the LLM to 'Run the assessment commands in @reference/queries.md'. This delegates command execution to an external, potentially dynamic, source. If `queries.md` can be manipulated or contains malicious commands, this could lead to command injection. Avoid instructing the LLM to execute commands defined in external, unverified files. Instead, provide specific, sandboxed tool functions for assessment, or embed the commands directly within the skill with clear sanitization requirements. | LLM | SKILL.md:28 | |
| MEDIUM | Execution of Unspecified CLI Commands (schema, validate, render) The skill instructs the LLM to use CLI commands `schema`, `validate`, and `render`. The implementation details and security implications of these commands are not specified, posing a risk if they are vulnerable to injection or perform sensitive operations without proper safeguards. Replace direct CLI command execution with dedicated, sandboxed tool functions. Ensure any underlying commands are thoroughly vetted for security vulnerabilities and input sanitization. | LLM | SKILL.md:105 |
Scan History
Embed Code
[](https://skillshield.io/report/3a6caaac711100f4)
Powered by SkillShield