Trust Assessment
hydra-evolver received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 7 critical, 3 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Suspicious import: socket.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/spamtylor/hydra-evolver/scripts/provision.sh:22 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/spamtylor/hydra-evolver/scripts/provision.sh:31 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/spamtylor/hydra-evolver/scripts/provision.sh:42 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spamtylor/hydra-evolver/scripts/provision.sh:22 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spamtylor/hydra-evolver/scripts/provision.sh:31 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spamtylor/hydra-evolver/scripts/provision.sh:42 | |
| CRITICAL | Unverified remote script execution (curl | sh) The `provision.sh` script downloads and executes shell scripts directly from external URLs (`https://get.docker.com`, `https://get.volta.sh`, `https://tailscale.com/install.sh`) without any integrity checks (e.g., checksum verification). This poses a critical supply chain risk. If any of these remote servers are compromised, an attacker could inject arbitrary code, leading to immediate command injection and full system compromise on the host running the skill. Avoid piping `curl` output directly to `sh`. Instead, download scripts, verify their integrity (e.g., against a known checksum), and then execute them. Consider using package managers (e.g., `apt`, `dnf`, `yum`) where possible, or official installation methods that include signature verification. | LLM | scripts/provision.sh:19 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/spamtylor/hydra-evolver/scripts/scan.py:36 | |
| HIGH | Broad system modification capabilities The `provision.sh` script performs extensive system-level modifications, including installing Docker, Node.js (via Volta), Tailscale, and a global npm package (`openclaw`). It also modifies user groups (`usermod -aG docker $SUDO_USER`). These operations require elevated privileges (root/sudo) and grant the skill a very broad scope of control over the host system. While intended for provisioning, such capabilities, if exploited, could lead to significant system compromise. Restrict the skill's execution environment to minimize its impact on the host system. If such broad provisioning is necessary, ensure strict input validation and consider running the skill within a highly isolated and ephemeral environment (e.g., a dedicated VM or container) with minimal host access. Clearly document the required permissions and their implications. | LLM | scripts/provision.sh:16 | |
| HIGH | Requests high-privilege Proxmox API tokens The skill manifest explicitly requests access to `PVE_TOKEN_ID` and `PVE_TOKEN_SECRET` environment variables. These are highly sensitive credentials that grant API access to a Proxmox environment. While necessary for the skill's stated purpose ("Proxmox-native orchestration"), their exposure to the skill means that any vulnerability within the skill (e.g., data exfiltration) could lead to the compromise of these tokens and, consequently, the entire Proxmox infrastructure. Implement strict access controls and least privilege principles for API tokens. Ensure that the skill's code handles these credentials securely, avoiding logging or unnecessary exposure. Consider using short-lived tokens or role-based access control (RBAC) to limit the scope of compromise if tokens are exfiltrated. The skill should only be granted the minimum necessary permissions within Proxmox. | LLM | SKILL.md | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/spamtylor/hydra-evolver/scripts/scan.py:2 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/spamtylor/hydra-evolver/scripts/provision.sh:32 | |
| MEDIUM | Untrusted data embedded in LLM-facing output The `scripts/evolve.py` script reads content from `PROJECTS.md` (specifically project `name` and `location`) and embeds it directly into the `instruction` field of the `evolution_plan.json` output. This JSON output is intended to be consumed by an LLM. If an attacker can manipulate the content of `PROJECTS.md` (e.g., by writing to it via another compromised skill or direct file access), they could inject malicious instructions into the `name` or `location` fields. When the LLM processes the `evolution_plan.json`, these injected instructions could lead to prompt injection, manipulating the LLM's behavior. Sanitize or escape any untrusted data read from files before embedding it into LLM-facing output. Specifically, ensure that `name` and `location` from `PROJECTS.md` are stripped of any potential prompt injection keywords or formatting that could manipulate an LLM. Consider using a dedicated LLM-safe templating mechanism or strict allow-listing for content. | LLM | scripts/evolve.py:104 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/spamtylor/hydra-evolver/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/7e510b99ca998c27)
Powered by SkillShield