Trust Assessment
findmy-location received a trust score of 30/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/poiley/findmy-location/findmy-location.py:16 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/poiley/findmy-location/findmy-location.py:16 | |
| HIGH | Command Injection via External Script Execution The `findmy-location.py` script uses `subprocess.run(cmd, shell=True)` to execute external commands. Specifically, it attempts to find and execute an `hsclick` script. While the arguments passed to `hsclick` (coordinates) are derived from internal processing and appear to be integers, the `hsclick` script itself is user-installed and its content is not verified by the `findmy-location.py` script. A malicious user could replace or modify the `hsclick` script in one of the searched paths (`~/clawd/scripts/hsclick`, `~/.local/bin/hsclick`, `/usr/local/bin/hsclick`), leading to arbitrary command execution when `findmy-location.py` is run. Avoid using `shell=True` with `subprocess.run` when executing external scripts. If external script execution is unavoidable, implement robust integrity checks (e.g., checksum verification) for the script before execution. Alternatively, rewrite the `hsclick` functionality directly within the Python script to avoid external execution. | LLM | findmy-location.py:58 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/poiley/findmy-location/install.sh:5 | |
| MEDIUM | Unpinned Dependencies in Installation Instructions The installation instructions for `peekaboo` and `Hammerspoon` use `brew install` without specifying a version. This means that future installations could pull in new, potentially incompatible, or even malicious versions of these dependencies, introducing supply chain risks. While the skill is a rubric, this pattern in installation instructions is a risk. Pin dependency versions in installation instructions to ensure reproducibility and mitigate risks from upstream changes. For Homebrew, consider using `brew install <formula>@<version>` or leveraging Homebrew's `Brewfile` for version management. | LLM | SKILL.md:23 | |
| INFO | Excessive Permissions Required for UI Automation The skill relies on the `peekaboo` utility, which requires broad system permissions such as Accessibility and Screen Recording. While these permissions are necessary for the skill's core functionality (UI automation to interact with the Find My app), users should be fully aware of the security implications of granting such extensive access to any application. Ensure that the necessity and implications of these permissions are clearly documented for users. If possible, explore alternative methods that require fewer privileges, though this may not be feasible for UI automation tasks. | LLM | SKILL.md:26 |
Scan History
Embed Code
[](https://skillshield.io/report/6fd31b6c2d971f43)
Powered by SkillShield