Trust Assessment
lingzhu received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 6 critical, 1 high, 2 medium, and 3 low severity. Key findings include Network egress to untrusted endpoints, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/endlessjour9527/r-wmi/extension/index.ts:112 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/endlessjour9527/r-wmi/extension/src/cli.ts:33 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/endlessjour9527/r-wmi/extension/src/http-handler.ts:295 | |
| CRITICAL | Credential Leakage via Console/Logs The 'activeAuthAk' (Access Key) is logged directly to the console/stdout during plugin startup and when the 'lingzhu info' CLI command is executed. This exposes a sensitive credential, which could be harvested by anyone with access to the system's logs or console output. Remove all console.log statements that output sensitive credentials like 'activeAuthAk'. Ensure credentials are only used internally and never exposed in logs or UI. Consider using secure storage mechanisms for credentials. | LLM | extension/index.ts:109 | |
| CRITICAL | Credential Leakage via Console/Logs The 'authAk' (Access Key) is logged directly to the console/stdout when the 'lingzhu info' CLI command is executed. This exposes a sensitive credential, which could be harvested by anyone with access to the system's logs or console output. Remove all console.log statements that output sensitive credentials like 'authAk'. Ensure credentials are only used internally and never exposed in logs or UI. Consider using secure storage mechanisms for credentials. | LLM | extension/src/cli.ts:30 | |
| CRITICAL | Local File Exfiltration via Image URL The `preprocessOpenAIMessages` function processes incoming `LingzhuMessage` objects. If a message contains an `image_url` starting with `file://`, the local file path is extracted and directly embedded into the `content` field of the message sent to the OpenAI API. This allows an attacker to specify arbitrary local file paths (e.g., `file:///etc/passwd`) and have their contents potentially exfiltrated to the LLM provider. Sanitize or strictly validate `image_url` inputs to prevent `file://` schemes. Only allow trusted URL schemes (e.g., `http://`, `https://`) for image downloads. If local file access is intended, implement strict allow-listing for paths and ensure content is not sent to external services without explicit user consent. | LLM | extension/src/http-handler.ts:120 | |
| HIGH | Prompt Injection via User-Controlled System Message The `lingzhuToOpenAI` function constructs a system message for the LLM using data from `LingzhuContext` (which is derived from `LingzhuRequest.metadata`). Since `LingzhuRequest` is user-controlled, an attacker can inject arbitrary text into fields like `location`, `weather`, etc., effectively manipulating the LLM's system prompt and potentially overriding its instructions or causing unintended behavior. Implement strict sanitization and validation for all user-provided `LingzhuContext` fields before they are incorporated into the LLM's system message. Consider using a dedicated, non-LLM-interpretable format for context data or restrict context fields to a predefined set of safe values. | LLM | extension/src/transform.ts:316 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^13.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/endlessjour9527/r-wmi/extension/package.json | |
| MEDIUM | Prompt Injection via LLM Output Pattern Matching The `detectIntentFromText` function uses regular expressions to identify and trigger specific commands based on the LLM's text response. An attacker could craft a prompt that manipulates the LLM into generating text that matches these patterns (e.g., '正在拍照'), thereby triggering unintended tool calls (like `take_photo` or `notify_agent_off`) without explicit instruction. Prefer explicit tool calls from the LLM over pattern matching on natural language responses. If pattern matching is necessary, ensure the patterns are highly specific and less susceptible to adversarial manipulation. Implement additional confirmation steps for sensitive actions triggered by text patterns. | LLM | extension/src/transform.ts:280 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/endlessjour9527/r-wmi/extension/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/endlessjour9527/r-wmi/package.json | |
| LOW | Unpinned Dependency Version The `commander` dependency is specified with a caret range (`^13.1.0`), allowing minor and patch updates. While common, this introduces a slight supply chain risk as a malicious or vulnerable update within the allowed range could be automatically installed. For higher security, exact version pinning is recommended. Pin the dependency to an exact version (e.g., `"commander": "13.1.0"`) to ensure deterministic builds and prevent unexpected updates. Regularly audit and manually update dependencies to incorporate security fixes. | LLM | extension/package.json:15 |
Scan History
Embed Code
[](https://skillshield.io/report/a5fe4d00a831a65f)
Powered by SkillShield