Trust Assessment
imsg-autoresponder received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 27 findings: 23 critical, 2 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings27
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:8 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/watcher-old.js:8 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/watcher.js:8 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:103 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:114 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:135 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:147 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:168 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:326 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:335 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:344 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:353 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:362 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:374 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:386 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:398 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:410 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/koba42corp/i-responder/scripts/telegram-handler.js:480 | |
| CRITICAL | Command Injection via Unquoted Numeric Arguments The `telegram-handler.js` script uses `execSync` to call `manage.js` with user-controlled numeric arguments (`minutes`, `max`) that are not properly quoted. This allows an attacker to inject arbitrary shell commands by providing input like '30; rm -rf /'. Always quote all arguments passed to `execSync` or use `child_process.spawn` with an array of arguments to prevent shell interpretation. For numeric inputs, ensure they are cast to integers and validated before use. | LLM | scripts/telegram-handler.js:139 | |
| CRITICAL | Command Injection via Unquoted Numeric Arguments The `telegram-handler.js` script uses `execSync` to call `manage.js` with user-controlled numeric arguments (`minutes`, `max`) that are not properly quoted. This allows an attacker to inject arbitrary shell commands by providing input like '30; rm -rf /'. This specific instance is for `handleSetAllDelays`. Always quote all arguments passed to `execSync` or use `child_process.spawn` with an array of arguments to prevent shell interpretation. For numeric inputs, ensure they are cast to integers and validated before use. | LLM | scripts/telegram-handler.js:159 | |
| CRITICAL | Command Injection via Unquoted Numeric Arguments The `telegram-handler.js` script uses `execSync` to call `manage.js` with user-controlled numeric arguments (`minutes`, `max`) that are not properly quoted. This allows an attacker to inject arbitrary shell commands by providing input like '30; rm -rf /'. This specific instance is for `handleSetDailyCap`. Always quote all arguments passed to `execSync` or use `child_process.spawn` with an array of arguments to prevent shell interpretation. For numeric inputs, ensure they are cast to integers and validated before use. | LLM | scripts/telegram-handler.js:209 | |
| CRITICAL | Command Injection via Unescaped User Input in `grep` The `telegram-handler.js` script constructs shell commands using `grep` with user-controlled input (`identifier`) without proper escaping. A malicious `identifier` (e.g., `"$(rm -rf /)"`) could lead to arbitrary command execution. Additionally, the `limit` argument in `handleHistory` is unquoted, posing another command injection vector. Avoid constructing shell commands directly with user input. Instead, use `child_process.spawn` with an array of arguments, which prevents shell interpretation. If `grep` is strictly necessary, ensure all user-provided arguments are thoroughly escaped for the shell context, and numeric arguments are validated and quoted. | LLM | scripts/telegram-handler.js:149 | |
| CRITICAL | Command Injection via Unescaped User Input in `grep` The `telegram-handler.js` script constructs shell commands using `grep` with user-controlled input (`identifier`) without proper escaping. A malicious `identifier` (e.g., `"$(rm -rf /)"`) could lead to arbitrary command execution. This specific instance is for `handleStats`. Avoid constructing shell commands directly with user input. Instead, use `child_process.spawn` with an array of arguments, which prevents shell interpretation. If `grep` is strictly necessary, ensure all user-provided arguments are thoroughly escaped for the shell context. | LLM | scripts/telegram-handler.js:200 | |
| HIGH | Prompt Injection via User-Controlled AI Prompt The skill allows users to define a custom `prompt` for each contact, which is directly incorporated into the AI's system prompt in `watcher.js`. A malicious user could inject instructions into this `prompt` field (e.g., via `/autorespond add` or `/autorespond edit`) to manipulate the AI's behavior, potentially leading to unintended responses, data exfiltration, or other harmful actions. Implement robust prompt engineering techniques. Encapsulate user-controlled prompts within specific, unambiguous delimiters (e.g., XML tags like `<user_prompt>...</user_prompt>`) and instruct the LLM to treat content within these delimiters as user input, not instructions. Add a strong system prompt that reinforces the LLM's role and explicitly forbids instruction following from user-provided content. | LLM | scripts/watcher.js:170 | |
| HIGH | Data Exfiltration via Log File Access and Command Injection The `handleHistory` and `handleStats` functions in `telegram-handler.js` read from `imsg-autoresponder.log` using `grep` with user-controlled input (`identifier`). Combined with the command injection vulnerability (SS-CMD-002), an attacker could craft a malicious `identifier` to search for and extract sensitive information (e.g., API keys, personal data from messages) that might be present in the log file. Mitigate the underlying command injection vulnerabilities (SS-CMD-002) to prevent arbitrary log file access. Additionally, review logging practices to ensure no sensitive information is written to logs that could be exfiltrated. If log searching is required, implement it using safe, programmatic methods rather than direct shell command execution with user input. | LLM | scripts/telegram-handler.js:149 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/koba42corp/i-responder/scripts/watcher.js:273 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/koba42corp/i-responder/scripts/launcher.sh:8 |
Scan History
Embed Code
[](https://skillshield.io/report/3e8e22897a5a093e)
Powered by SkillShield