Trust Assessment
jasper-recall received a trust score of 41/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 1 critical, 2 high, 4 medium, and 1 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $HOME, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Unquoted Environment Variables in Bash Script The `digest-sessions.sh` script uses environment variables `RECALL_SESSIONS_DIR` and `RECALL_DIGEST_DIR` directly in shell commands (`ls`, `mkdir -p`, `cat >`) without proper quoting. An attacker who can control these environment variables can inject arbitrary shell commands, leading to remote code execution. Always quote shell variables when used in commands, especially when they can be influenced by user input or environment variables. For example, use `ls -A "$SESSIONS_DIR"/*.jsonl` and `mkdir -p "$DIGEST_DIR"`. | LLM | scripts/digest-sessions.sh:20 | |
| HIGH | Excessive Permissions / Data Exfiltration via Manipulated Workspace Paths in Python Scripts Multiple Python scripts (`index-digests.py`, `summarize-old.py`, `sync-shared.py`, `write-learning.py`) determine critical file paths (e.g., `WORKSPACE`, `MEMORY_DIR`, `CHROMA_DIR`) from environment variables (`RECALL_WORKSPACE`, `RECALL_CHROMA_DB`). If an attacker can control these environment variables, they can direct the scripts to read, write, or index data from arbitrary locations on the filesystem. This can lead to data exfiltration (indexing sensitive files), data corruption (overwriting arbitrary files), or denial of service. Restrict the ability to set `RECALL_WORKSPACE` and `RECALL_CHROMA_DB` environment variables in untrusted execution contexts. If dynamic paths are necessary, implement strict validation and sanitization of these paths to ensure they remain within an allowed sandbox or predefined directory structure. | LLM | scripts/index-digests.py:12 | |
| HIGH | Data Exfiltration via `serve` API with `RECALL_ALLOW_PRIVATE=true` The `serve` command, which exposes an HTTP API for memory recall, can be configured via the `RECALL_ALLOW_PRIVATE=true` environment variable to bypass the default `public_only=true` restriction. This allows sandboxed agents or external clients to access private memories, leading to a critical data exfiltration risk if deployed on public or shared hosts without proper access controls. Ensure `RECALL_ALLOW_PRIVATE` is never set to `true` in production environments or any context where private memories should not be exposed. Implement strong network access controls (e.g., firewall rules) to restrict access to the `serve` API endpoint, even if `RECALL_ALLOW_PRIVATE` is `false`. | LLM | SKILL.md:235 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/emberdesire/jasper-recall/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/emberdesire/jasper-recall/scripts/digest-sessions.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/emberdesire/jasper-recall/scripts/install-mesh.sh:6 | |
| MEDIUM | Potential Data Exposure from `privacy-check.py` Output The `privacy-check.py` script is designed to identify sensitive data in text or files. While its purpose is beneficial, if an attacker can control the input file (`--file`) or text, and the script's output (especially in JSON format) is then exposed or logged, it could inadvertently exfiltrate the very sensitive data it was designed to detect. Ensure that the output of `privacy-check.py` is handled securely, especially when processing untrusted input or when the `--json` flag is used. Avoid logging or exposing this output in insecure channels. Consider sanitizing or redacting sensitive matches in the output if it must be exposed. | LLM | scripts/privacy-check.py:140 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/emberdesire/jasper-recall/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/d26acbf6d7b237b6)
Powered by SkillShield