Trust Assessment
glance received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary Command Execution via `agent_refresh` `fetch.instructions`, Sensitive Data Exfiltration via `agent_refresh` `fetch.instructions`, Broad Permissions Granted to Subagents Executing `fetch.instructions`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via `agent_refresh` `fetch.instructions` The skill explicitly instructs the agent to spawn a subagent and execute the content of `widget.fetch.instructions` using powerful tools like `exec` and `PTY`. Since `fetch.instructions` are generated by the AI based on user input ("Create custom widgets with natural language"), a malicious user could craft a prompt to induce the AI to generate arbitrary shell commands within `fetch.instructions`. These commands would then be executed by the subagent with its full permissions, leading to arbitrary command injection and potential system compromise. Implement strict sanitization and validation of the `fetch.instructions` content before it is passed to `sessions_spawn` or executed by `exec`/`PTY`. Consider using a highly sandboxed environment (e.g., containerized execution, restricted shell) for executing `fetch.instructions` to limit the blast radius of malicious commands. Restrict the set of allowed commands or arguments. | LLM | SKILL.md:296 | |
| CRITICAL | Sensitive Data Exfiltration via `agent_refresh` `fetch.instructions` As a direct consequence of the command injection vulnerability in `fetch.instructions`, a malicious user could craft prompts that lead the AI to generate `fetch.instructions` designed to exfiltrate sensitive data. This could involve reading local files (e.g., `/etc/passwd`, `.env` files, SSH keys, `~/.aws/credentials`), environment variables (`env`), or other user data, and then transmitting this information to an external, attacker-controlled server using network tools like `curl` or `web_fetch`. The skill explicitly mentions `exec` and `web_fetch` as tools available to the subagent. Implement strict sanitization and validation of `fetch.instructions` to prevent commands that read sensitive files or exfiltrate data. Restrict network access for subagents executing `fetch.instructions` to only whitelisted endpoints. Implement data loss prevention (DLP) mechanisms. | LLM | SKILL.md:296 | |
| HIGH | Broad Permissions Granted to Subagents Executing `fetch.instructions` The `agent_refresh` mechanism is designed to allow subagents to execute arbitrary commands using powerful tools like `exec`, `PTY`, and `browser`. While this is a core functional requirement for the skill, it means that any successful command injection or malicious instruction within `fetch.instructions` will be executed with the full permissions of the subagent. This broad access to the filesystem, network, and system commands significantly increases the potential impact of any exploit, allowing for system compromise, data destruction, or persistent backdoor installation. Implement the principle of least privilege for subagents executing `fetch.instructions`. This includes running them in isolated environments (e.g., containers, virtual machines) with minimal necessary filesystem and network access. Restrict the capabilities of `exec` and `PTY` to only specific, whitelisted commands and arguments. | LLM | SKILL.md:304 |
Scan History
Embed Code
[](https://skillshield.io/report/9f204d077bd4bfd4)
Powered by SkillShield