Trust Assessment
lg-thinq received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned `thinqconnect` dependency, `raw` command allows arbitrary ThinQ API payloads.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | `raw` command allows arbitrary ThinQ API payloads The skill exposes a `raw` command that, based on its description (`Send raw command`), likely allows the user (or the LLM) to provide an arbitrary JSON payload to be sent directly to the LG ThinQ API via `async_post_device_control`. This bypasses any higher-level validation or abstraction provided by other commands, granting excessive control over the connected appliances. A malicious or confused LLM could craft payloads to perform unintended or harmful actions, potentially leading to appliance misuse, data corruption (if applicable), or denial of service. This effectively grants the LLM direct, unmediated access to the underlying API capabilities. 1. **Remove or restrict the `raw` command:** If not strictly necessary, remove this command to limit the attack surface. 2. **Implement strict validation:** If the `raw` command is required, implement comprehensive validation for the JSON payload to ensure only safe and intended operations can be performed. 3. **Least Privilege:** Design specific, granular commands for each appliance function rather than a generic 'raw' command. 4. **Warning:** Add a prominent warning in the documentation about the dangers and advanced nature of using the `raw` command. | LLM | scripts/thinq.py:209 | |
| MEDIUM | Unpinned `thinqconnect` dependency The skill's setup instructions recommend `pip install thinqconnect` without specifying a version. This makes the skill vulnerable to supply chain attacks if a future version of `thinqconnect` introduces malicious code or vulnerabilities. An attacker could publish a compromised version of the package, which would then be installed by users following these instructions. Pin the `thinqconnect` dependency to a specific, known-good version (e.g., `pip install thinqconnect==X.Y.Z`). It is also recommended to use a `requirements.txt` or `pyproject.toml` file to manage dependencies explicitly. | LLM | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/be30b50f0b6f7255)
Powered by SkillShield