Trust Assessment
llm-council received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 4 critical, 2 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Dangerous call: subprocess.Popen().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/am-will/llm-council/scripts/ui_server.py:76 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/am-will/llm-council/scripts/llm_council.py:293 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/am-will/llm-council/scripts/llm_council.py:819 | |
| CRITICAL | Arbitrary Command Execution via User-Provided Agent Configuration The `llm_council.py` script allows users to define custom agents or provide `extra_args` for existing agents within the `task_spec.json`. The `command` field for `kind: "custom"` agents and the `extra_args` field for all agents are directly incorporated into `subprocess.Popen` calls without sufficient sanitization or validation. An attacker can craft a malicious `command` or `extra_args` to execute arbitrary shell commands on the host system. The `SKILL.md` explicitly states that "Custom commands (stdin prompt) can be used by setting `kind` to `custom` and providing `command` and `prompt_mode` (stdin or arg)" and "Use `extra_args` to append additional CLI flags for any agent," confirming these fields are intended for user input. 1. **Strict Whitelisting/Validation**: Instead of directly executing user-provided `command` strings, implement a strict whitelist of allowed commands and arguments. For `extra_args`, validate each argument against expected patterns or a whitelist. Avoid passing arbitrary strings directly to `subprocess.Popen` if they can be interpreted as new commands or options that alter execution flow. 2. **Least Privilege**: Run agent processes with the minimum necessary permissions. 3. **Sandboxing**: Consider running untrusted agent commands within a sandboxed environment (e.g., Docker containers, gVisor, or a dedicated VM) to isolate them from the host system. | LLM | scripts/llm_council.py:200 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'spawn_cli_agent'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/am-will/llm-council/scripts/llm_council.py:293 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'maybe_trash_empty_dir'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/am-will/llm-council/scripts/llm_council.py:819 |
Scan History
Embed Code
[](https://skillshield.io/report/d96408246b85576e)
Powered by SkillShield