Trust Assessment
lastpass-cli received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential `lpass` argument injection via entry name, Broad access to LastPass vault and direct output of sensitive data.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential `lpass` argument injection via entry name The `name` argument, provided by untrusted input, is directly interpolated into the `lpass show` command. Although double-quoted, this does not prevent argument injection if the `name` value itself starts with a hyphen (e.g., `--help`, `--sync`). A malicious `name` could cause `lpass` to execute unintended operations (like vault synchronization) or reveal internal information about the `lpass` CLI, disrupting the skill's intended function or causing side effects. Implement strict validation or sanitization of the `name` argument to ensure it does not begin with a hyphen or contain other characters that could be interpreted as `lpass` command-line options. A common approach is to prepend `--` to separate options from arguments, e.g., `lpass show --password -- "$name"`, but this depends on `lpass` supporting the `--` convention for arguments. Alternatively, use a library or function that specifically escapes arguments for `lpass` if available, or whitelist allowed characters for `name`. | LLM | tools/lastpass.sh:19 | |
| HIGH | Broad access to LastPass vault and direct output of sensitive data The `lastpass_get_secret` tool allows the agent to retrieve any entry by name and any field, including the `raw` content of an entry. This grants the agent broad read access to the entire LastPass vault accessible by the `lpass` CLI. All retrieved secrets are printed directly to `stdout`, making them available to the LLM and potentially to any logging mechanisms in the LLM's environment. This poses a significant risk of sensitive data exposure if the agent is compromised or misused, or if the environment's logging is not secure. 1. **Principle of Least Privilege**: Re-evaluate if the agent truly needs access to *any* entry and *any* field, especially `raw`. Consider restricting the tool's capabilities to specific, pre-approved entry names or field types. 2. **Output Handling**: Ensure that the LLM's environment has robust mechanisms to prevent logging or unauthorized storage of sensitive output from this tool. 3. **User Confirmation**: For highly sensitive operations (e.g., retrieving `raw` data), consider requiring explicit user confirmation before execution. | LLM | tools/lastpass.sh:28 |
Scan History
Embed Code
[](https://skillshield.io/report/c5ad091ea3be1500)
Powered by SkillShield