Trust Assessment
ephemeral-media-hosting received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill executes privileged commands via sudo.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill executes privileged commands via sudo The `media-setup.sh` script, which is explicitly executed by the skill, contains `sudo` commands to create directories, change ownership, and set permissions. This implies that the AI agent's execution environment must grant `sudo` privileges to run this skill. Granting `sudo` access to an AI agent skill is an excessive permission and poses a significant security risk, as it allows the agent to perform system-level modifications. While the specific commands use hardcoded paths and variables, the capability to execute `sudo` itself is a privilege escalation concern. Re-evaluate the necessity of `sudo` for an AI agent skill. If system-level setup is required, ensure the execution environment is strictly sandboxed and that the LLM cannot arbitrarily execute other `sudo` commands. Consider using a dedicated setup script run by an administrator, rather than embedding `sudo` calls directly in the skill for LLM execution. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/dc384419d830dcbb)
Powered by SkillShield