Trust Assessment
frigatebird received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via CLI arguments, Access to sensitive browser profiles and authentication tokens, Unpinned `frigatebird` npm package dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Access to sensitive browser profiles and authentication tokens The `frigatebird` tool operates by accessing browser session cookies and can be configured to use full Chrome or Firefox profiles via `--chrome-profile` or `--firefox-profile` options. If the skill is instructed to use a user's local browser profile, it grants the underlying tool access to a vast amount of sensitive personal data (e.g., browsing history, saved passwords, all website cookies, autofill data) stored within that profile. This constitutes a severe data exfiltration and excessive permission risk. Additionally, the `--auth-token` and `--ct0` options handle sensitive authentication tokens directly, which could be exposed if not handled securely. 1. **Restrict Profile Access:** Strongly advise against using `--chrome-profile` or `--firefox-profile` with user's primary profiles. If necessary, recommend using isolated, temporary, or dedicated profiles with minimal data. 2. **Token Handling:** Implement secure handling for `--auth-token` and `--ct0`, ensuring they are not logged, stored insecurely, or exposed to unauthorized parties. 3. **User Consent:** Explicitly inform the user about the data access implications when these options are used and require explicit consent. | LLM | SKILL.md:49 | |
| HIGH | Potential Command Injection via CLI arguments The skill invokes the `frigatebird` CLI tool with arguments derived from user input (e.g., tweet text, article title/body, list names). If the LLM constructs the shell command by directly interpolating untrusted user input into these arguments without proper shell escaping, a malicious user could inject arbitrary shell commands, leading to remote code execution. Ensure all user-provided arguments passed to `frigatebird` are properly shell-escaped before constructing the command string. Consider using a library or function specifically designed for safe command execution. | LLM | SKILL.md:34 | |
| HIGH | Unpinned `frigatebird` npm package dependency The skill relies on the `frigatebird` npm package, but the manifest and documentation do not specify a fixed version. This means that `npm install -g frigatebird` or `npx frigatebird` will always fetch the latest available version. This introduces a supply chain risk, as a malicious update to the `frigatebird` package (e.g., due to a compromised maintainer account or intentional malicious code injection) could lead to arbitrary code execution or data exfiltration on the system where the skill is run. Pin the `frigatebird` dependency to a specific, known-good version in the skill's manifest or installation instructions (e.g., `frigatebird@1.0.0`). Regularly review and update the pinned version after verifying its integrity. | LLM | SKILL.md:22 | |
| MEDIUM | Potential Path Traversal via `batch` command The `frigatebird batch accounts.json` command suggests that the tool can read a file specified by its path. If the `accounts.json` argument can be controlled by untrusted user input, a malicious user could attempt path traversal (e.g., `frigatebird batch ../../../etc/passwd`) to read arbitrary files from the file system where the skill is executed. This could lead to data exfiltration. 1. **Input Validation:** Strictly validate and sanitize any user-provided file paths to prevent path traversal attempts. 2. **Confine File Access:** If possible, restrict file operations to a specific, sandboxed directory. 3. **Explicit Confirmation:** For sensitive file operations, require explicit user confirmation. | LLM | SKILL.md:39 |
Scan History
Embed Code
[](https://skillshield.io/report/cd1587e7d7d4f94c)
Powered by SkillShield