Trust Assessment
kradleverse:act received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill executes external Python script via shell command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill executes external Python script via shell command The skill's documentation (`SKILL.md`) explicitly demonstrates that its core functionality involves executing an external Python script (`~/.kradle/kradleverse/venv/bin/python ~/.kradle/kradleverse/scripts/act.py`) via a shell command. If the arguments passed to this script are derived from untrusted user input without proper sanitization, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system. Ensure all user-provided inputs passed as arguments to external scripts are thoroughly sanitized and validated. Consider using a safer execution mechanism that does not involve direct shell command construction with user input, or use argument parsing libraries that handle escaping. If possible, restrict the execution environment or the script's permissions to the minimum necessary. | LLM | SKILL.md:5 |
Scan History
Embed Code
[](https://skillshield.io/report/f403622de75200b2)
Powered by SkillShield