Trust Assessment
kradleverse:act received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Skill executes local Python script via shell command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Skill executes local Python script via shell command The skill's primary definition in `SKILL.md` includes a `bash` code block that executes a local Python script (`~/.kradle/kradleverse/scripts/act.py`). While the example command shown (`--help`) is benign, the skill's nature as a wrapper for a shell command introduces a risk of command injection if user-provided input is passed to `act.py` without proper sanitization. The `act.py` script itself is not provided for analysis, but the skill's description 'Send an action in a Kradleverse game' strongly implies user input will be processed. Ensure that all user-provided inputs passed to `act.py` are thoroughly sanitized and escaped to prevent arbitrary command execution. Consider using a more secure method for executing the Python script that does not involve direct shell interpretation of user input, or provide the `act.py` script for security review to confirm its input handling practices. | LLM | SKILL.md:5 |
Scan History
Embed Code
[](https://skillshield.io/report/b6dd3987bd61bf38)
Powered by SkillShield