Trust Assessment
life-control received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Skill instructs execution of untrusted shell scripts, Skill requires exporting sensitive Telegram tokens to environment.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill instructs execution of untrusted shell scripts The skill's quick start and core workflows explicitly instruct the user to run multiple shell scripts (`bootstrap.sh`, `telegram-sender.sh`, scripts within `routines/`, and `setup-agents.sh` which is called by `bootstrap.sh`). These scripts are external to the `SKILL.md` and their contents are not provided for analysis. Executing untrusted or unverified shell scripts can lead to arbitrary command execution, system compromise, data exfiltration, or credential harvesting. Review the contents of all mentioned shell scripts (`bootstrap.sh`, `setup-agents.sh`, `telegram-sender.sh`, and all scripts in `routines/`) for malicious code, vulnerabilities, or excessive permissions. Ensure scripts are sandboxed or run in a controlled environment. If possible, replace shell scripts with safer, sandboxed API calls or built-in functions. | LLM | SKILL.md:16 | |
| MEDIUM | Skill requires exporting sensitive Telegram tokens to environment The skill instructs the user to export `Telegram chat ID` and `agent bot tokens` as environment variables. While this is a common practice for legitimate applications, it exposes sensitive credentials to the environment where they can potentially be accessed by any process running with the same user permissions, including the skill's underlying code. If the skill's code is compromised or malicious, it could harvest these tokens, leading to unauthorized access to Telegram accounts or services. Avoid storing sensitive credentials directly in environment variables, especially for long-lived processes. Consider using secure secret management systems (e.g., AWS Secrets Manager, HashiCorp Vault, Kubernetes Secrets) or prompting for credentials at runtime with appropriate masking. Ensure the skill's underlying code handles these credentials securely and does not log or exfiltrate them. | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/f65da68ad1b735f7)
Powered by SkillShield