Trust Assessment
holocube-emotes received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 22 findings: 6 critical, 7 high, 9 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings22
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:50 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:84 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:103 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:81 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:100 | |
| CRITICAL | Malicious emote name can trigger device commands via URL path traversal The `emote` argument, which can be user-provided (e.g., via `python3 holocube.py <emote>`), is directly interpolated into the `filename` which is then URL-encoded and used in the `img` query parameter of the holocube's `/set` endpoint. A malicious `emote` name like `neutral/../set?reset=1` would result in a URL path like `/set?img=/image/adam-neutral/../set?reset=1.gif`. This path traversal within the `img` parameter could be interpreted by the holocube's web server as a direct command, potentially triggering a factory reset or other unintended actions, as explicitly warned in the `SKILL.md` about `/set?reset=1`. Sanitize the `emote` argument to ensure it only contains alphanumeric characters and hyphens, preventing path separators (`/`, `\`) or other special characters that could be used for path traversal or command injection. | LLM | scripts/holocube.py:70 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:81 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:100 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'generate_base'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:84 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'generate_emote'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'find_nano_banana'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/thrive-spencerj/holocube-emotes/scripts/generate_sprites.py:50 | |
| HIGH | Potential data exfiltration: file read + network send Function 'convert_and_upload' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/thrive-spencerj/holocube-emotes/scripts/onboard.py:167 | |
| HIGH | Path traversal vulnerability in device backup function The `backup_device` function downloads files from the holocube using `urllib.request.urlretrieve`. The filenames (`f`) are extracted from the device's file list. If a malicious holocube device returns a filename containing path traversal sequences (e.g., `../../etc/passwd`), the `Path(backup_dir) / f` operation will resolve to a path outside the intended `backup_dir`. This could allow an attacker to write arbitrary files to arbitrary locations on the local filesystem where the script is executed, potentially overwriting critical system files or placing malicious executables. Before constructing the target path, sanitize the filename `f` to remove any path separators (`/`, `\`) or `..` components. Alternatively, use `Path.resolve()` on the final target path and verify that it remains a subpath of `backup_dir.resolve()`. | LLM | scripts/setup_device.py:70 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/thrive-spencerj/holocube-emotes/scripts/onboard.py:4 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/thrive-spencerj/holocube-emotes/scripts/holocube.py:15 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/thrive-spencerj/holocube-emotes/scripts/holocube.py:27 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/thrive-spencerj/holocube-emotes/scripts/onboard.py:11 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/thrive-spencerj/holocube-emotes/scripts/onboard.py:13 | |
| MEDIUM | Suspicious import: http.client Import of 'http.client' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/thrive-spencerj/holocube-emotes/scripts/onboard.py:163 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/thrive-spencerj/holocube-emotes/scripts/setup_device.py:12 | |
| MEDIUM | Suspicious import: http.client Import of 'http.client' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/thrive-spencerj/holocube-emotes/scripts/setup_device.py:80 | |
| MEDIUM | User-controlled character description passed to LLM prompt The `onboard.py` script allows the user to provide a custom character description, which is then used as part of the `--prompt` argument for the `nano-banana-pro` skill's image generation script (`generate_image.py`). If `generate_image.py` is an LLM-based skill, a malicious user could craft a prompt injection payload within the character description to manipulate the behavior of the image generation LLM, potentially leading to unintended image content, resource exhaustion, or other undesirable outcomes. Implement sanitization or validation on the user-provided `character_desc` to remove or neutralize potential prompt injection payloads. Consider using a separate, more constrained input field for style/character type rather than a free-form text field if the downstream LLM is highly sensitive. | LLM | scripts/onboard.py:152 |
Scan History
Embed Code
[](https://skillshield.io/report/91cd1596d5ce6713)
Powered by SkillShield