Trust Assessment
graphiti received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 3 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unsanitized user input in `curl -d` leads to command injection, Dynamic API endpoint allows data exfiltration to attacker-controlled server.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/emasoudy/graphiti/SKILL.md:50 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/emasoudy/graphiti/SKILL.md:52 | |
| CRITICAL | Unsanitized user input in `curl -d` leads to command injection The `bash command:` blocks in `SKILL.md` construct `curl` commands where the JSON payload for the `-d` argument is enclosed in a single-quoted string. Placeholders like `YOUR_QUERY`, `EPISODE_NAME`, and `EPISODE_CONTENT` are directly inserted into this string. If an attacker (via prompt injection) causes the LLM to generate input containing a single quote (`'`), it will break out of the single-quoted string, allowing arbitrary shell commands to be executed. For example, if `YOUR_QUERY` is `foo' && rm -rf /`, the shell command would become `curl ... -d '{"query": "foo' && rm -rf /", "max_facts": 10}'`, leading to `rm -rf /` execution. The LLM's output for `YOUR_QUERY`, `EPISODE_NAME`, and `EPISODE_CONTENT` must be properly escaped for shell single-quoted strings before being inserted. A safer approach is to use a templating mechanism that handles shell escaping, or to pass the JSON payload via stdin (e.g., `curl -d @- <<< '{"query": "YOUR_QUERY"}'`) ensuring `YOUR_QUERY` is JSON-escaped. | LLM | SKILL.md:19 | |
| HIGH | Dynamic API endpoint allows data exfiltration to attacker-controlled server The `GRAPHITI_URL` is dynamically determined by `references/env-check.sh`, prioritizing `clawdbot config` and environment variables. The `SKILL.md` explicitly shows how to change this URL via `clawdbot config set` or `export`. An attacker, if able to manipulate these settings (e.g., via prompt injection leading to execution of `clawdbot config set` or `export`), could redirect the `curl` commands to an arbitrary external server. Although `env-check.sh` performs a `/health` check, this is easily bypassed by a malicious server. Any sensitive data passed as `query`, `name`, or `content` to `graphiti_search` or `graphiti_add` could then be exfiltrated to the attacker's server. Restrict the ability to change `GRAPHITI_URL` to a predefined set of trusted endpoints, or implement stronger validation (e.g., allow-listing domains/IPs). If dynamic configuration is necessary, ensure that the LLM cannot directly modify these configuration sources or that any modifications are subject to human review/approval. Consider if the `GRAPHITI_URL` needs to be so easily configurable by the LLM's execution context. | LLM | references/env-check.sh:4 |
Scan History
Embed Code
[](https://skillshield.io/report/d6e71bb72e6c403d)
Powered by SkillShield