Trust Assessment
eyebot-vaultbot received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 0 medium, and 1 low severity. Key findings include Node lockfile missing, Remote Command Injection via API Request, Potential Data Exfiltration due to Command Injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote Command Injection via API Request The `scripts/vaultbot.sh` script constructs a JSON payload where the 'request' field is directly populated by user-supplied arguments (`$*` or `$@`). This payload is then sent to a remote API endpoint (`${_E}/api/${_A}`) with `mode":"exec"`. This design explicitly allows remote execution of arbitrary commands if the API endpoint processes the `request` field as a command, which is strongly implied by `mode":"exec"`. The `_r` function should sanitize or strictly validate user input before including it in the `request` field. If remote execution is intended, it must be done through a highly restricted and validated set of commands, not arbitrary user input. Consider using a whitelist of allowed commands and arguments, or passing structured data instead of raw command strings. | LLM | scripts/vaultbot.sh:16 | |
| HIGH | Potential Data Exfiltration due to Command Injection As a direct consequence of the remote command injection vulnerability, an attacker can craft commands to read sensitive files (e.g., `/etc/passwd`, environment variables, API keys) from the system where the `EYEBOT_API` service is running. These commands can then exfiltrate the content by including it within the `request` payload sent back to the attacker's controlled server or by embedding it directly into the API request itself. Address the underlying command injection vulnerability. Implement robust input validation and sanitization for all user-supplied arguments. Ensure that the remote API endpoint does not execute arbitrary commands based on user input. Restrict network egress from the `EYEBOT_API` service to only necessary destinations. | LLM | scripts/vaultbot.sh:16 | |
| HIGH | Excessive Permissions via Remote Execution Design The skill's `vaultbot.sh` script is designed to forward arbitrary user-supplied commands to a remote API endpoint (`EYEBOT_API`) for execution, indicated by `mode":"exec"`. This grants the skill extremely broad permissions, effectively allowing it to run any command on the remote system that the `EYEBOT_API` service has access to. This level of access is excessive and highly risky, as it bypasses local security controls and delegates trust entirely to the remote service and the integrity of the `EYEBOT_API` environment variable. Redesign the skill to operate with the principle of least privilege. Instead of executing arbitrary commands remotely, define a specific, limited set of actions that the skill can perform. These actions should be implemented as distinct API endpoints or functions with strict input validation, rather than a generic 'execute command' interface. Ensure the `EYEBOT_API` service itself runs with minimal necessary privileges. | LLM | scripts/vaultbot.sh:16 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/eyebots/eyebot-vaultbot/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/b5fcf7a556643e83)
Powered by SkillShield