Trust Assessment
hidpi-mouse received a trust score of 37/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 0 high, 5 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Command Injection via unquoted user input in xdotool search.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 65/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unquoted user input in xdotool search The `scripts/reliable_click.sh` script constructs an `xdotool search` command by directly interpolating the user-provided `$WINDOW_NAME` variable without proper quoting or sanitization. An attacker can inject arbitrary shell commands by crafting a malicious `WINDOW_NAME` string (e.g., `'; rm -rf /tmp/*; #'`), which will be executed by the shell when the `xdotool search` command is run. This allows for arbitrary code execution on the host system. To prevent command injection, the `$WINDOW_NAME` variable must be properly quoted or sanitized before being passed to `xdotool search`. A robust solution would involve escaping single quotes in the input, or if `xdotool` supports it, using a null-delimited input mechanism. For shell scripts, one common approach is to escape special characters or use `printf %q` if the target command interprets it correctly. Alternatively, list all windows and filter them in a safer manner within the script (e.g., using `grep` on the output of `xdotool search --name` with a fixed pattern). | LLM | scripts/reliable_click.sh:50 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/zeyuyuyu/hidpi-mouse/scripts/calibrate.sh:11 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/zeyuyuyu/hidpi-mouse/scripts/click.sh:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/zeyuyuyu/hidpi-mouse/scripts/detect-scale.sh:12 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/zeyuyuyu/hidpi-mouse/scripts/drag.sh:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/zeyuyuyu/hidpi-mouse/scripts/move.sh:10 |
Scan History
Embed Code
[](https://skillshield.io/report/5866a5688d52e2a6)
Powered by SkillShield