Trust Assessment
hour-meter received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 5 critical, 0 high, 3 medium, and 2 low severity. Key findings include File read + network send exfiltration, Credential harvesting, Suspicious import: urllib.request.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/rm289/tardis/scripts/meter.py:34 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/rm289/tardis/scripts/meter.py:31 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/rm289/tardis/scripts/meter.py:439 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/rm289/tardis/scripts/meter.py:586 | |
| CRITICAL | `os.system` call with user-controlled input The `meter.py` script uses `os.system(f"open 'mailto:{email_address}?subject={subject_encoded}&body={body_encoded}'")` to open a mail client. The `email_address` variable is derived from user input (the `--email` argument or meter configuration). Although `subject_encoded` and `body_encoded` are URL-encoded, `os.system` executes the entire string via the shell. A malicious `email_address` containing shell metacharacters (e.g., `attacker@example.com'; rm -rf /`) could lead to arbitrary command execution on the host system. Replace `os.system` with `subprocess.run` using `shell=False` and pass arguments as a list. For `mailto:` URLs, consider using a dedicated library or opening the URL directly in a browser if `os.system` is not strictly necessary for the `open` command. Ensure all components of the URL are properly escaped for the shell if `os.system` must be used (though this is generally discouraged). | LLM | scripts/meter.py:702 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/rm289/tardis/scripts/meter.py:20 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/rm289/tardis/scripts/sendgrid_webhook.py:37 | |
| MEDIUM | Unpinned or implicit external dependencies The `meter.py` script optionally imports `qrcode`, and `sendgrid_webhook.py` optionally imports `cryptography`. The provided context does not include a `requirements.txt`, `pyproject.toml`, or similar dependency management file that pins these external libraries to specific versions. This makes the skill vulnerable to supply chain attacks, such as dependency confusion, typosquatting, or malicious updates to unpinned versions of these libraries. Create a `requirements.txt` or `pyproject.toml` file that explicitly lists and pins all external dependencies (e.g., `qrcode==7.3.1`, `cryptography==3.4.8`). This ensures that the skill always uses known, tested versions of its dependencies. | LLM | scripts/meter.py:160 | |
| LOW | Potential Agent Instruction Injection via Milestone Messages The `SKILL.md` documentation mentions an 'Advanced' feature where 'Milestone messages prefixed with `ACTION:` can optionally be treated as agent instructions by your heartbeat config.' While explicitly stated as an opt-in feature with security considerations, this pattern introduces a vector for prompt injection if the agent's configuration is not carefully secured. A malicious or compromised milestone message could potentially manipulate the agent's behavior if the agent is configured to execute these messages without proper sanitization or sandboxing. Users should be strongly cautioned about enabling this feature without robust sandboxing and input validation for agent instructions. The agent configuration should strictly validate and sanitize any `ACTION:` prefixed messages before execution. | LLM | SKILL.md:190 | |
| LOW | Accessing `/root/.env` for environment variables The `_load_dotenv` function in `meter.py` explicitly attempts to load environment variables from `/root/.env`. This suggests the skill might be intended to run with root privileges or expects to access the root user's home directory. Running skills with unnecessary root privileges significantly increases the attack surface and the impact of any successful exploit. Review the necessity of accessing `/root/.env`. If the skill does not require root privileges, remove this path from the `_load_dotenv` function. Ensure the skill is run with the principle of least privilege. | LLM | scripts/meter.py:35 |
Scan History
Embed Code
[](https://skillshield.io/report/6f28ace4846f65a1)
Powered by SkillShield