Trust Assessment
lmstudio-subagents received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 18 findings: 13 critical, 2 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unsanitized user input in `exec command:` directives, Arbitrary file write via `--log` option in `lmstudio-api.mjs`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings18
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/SKILL.md:4 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/SKILL.md:9 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/SKILL.md:24 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/SKILL.md:42 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/SKILL.md:51 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/SKILL.md:84 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/SKILL.md:92 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/SKILL.md:111 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/scripts/lmstudio-api.mjs:12 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/scripts/load.mjs:5 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/scripts/load.mjs:8 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/scripts/unload.mjs:6 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/scripts/unload.mjs:9 | |
| HIGH | Unsanitized user input in `exec command:` directives The `SKILL.md` document provides `exec command:` examples that directly embed placeholders like `<model>`, `<task>`, `<instance_id>`, and `<model_key>` into shell commands. If the orchestrating LLM populates these placeholders with unsanitized user input, shell metacharacters (e.g., `;`, `&&`, `|`, `$()`) could be executed, leading to arbitrary command execution on the host system. This is a direct command injection vulnerability at the shell execution layer. The orchestrating LLM must sanitize or properly escape all user-provided inputs before embedding them into shell commands. For `node` arguments, consider passing them as separate arguments to `exec` or using a more robust command execution mechanism that prevents shell interpretation. For `curl -d` and `jq` arguments, ensure proper JSON/shell escaping. | LLM | SKILL.md:44 | |
| HIGH | Arbitrary file write via `--log` option in `lmstudio-api.mjs` The `scripts/lmstudio-api.mjs` script accepts a `--log <path>` argument, allowing it to write request and response data to an arbitrary file path on the system. An attacker could exploit this to overwrite critical system files, write malicious content to web server directories, or exfiltrate sensitive data by writing it to a controlled network share. Restrict the `logPath` to a predefined, secure directory (e.g., a temporary directory or a skill-specific log directory) and ensure that the path provided by the user cannot escape this directory (e.g., by sanitizing `..` or absolute paths). Alternatively, remove the ability to specify an arbitrary log file path. | LLM | scripts/lmstudio-api.mjs:40 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/t-sinclair2500/lm-studio-subagents/scripts/test.mjs:9 | |
| MEDIUM | SSRF vulnerability via `--api-url` option All Node.js scripts (`lmstudio-api.mjs`, `load.mjs`, `test.mjs`, `unload.mjs`) allow the `LM_STUDIO_API_URL` to be overridden by a user-provided `--api-url` command-line argument. While intended for pointing to a local LM Studio instance, this functionality could be abused by an attacker to make requests to arbitrary internal network endpoints or other services accessible from the agent's host, potentially leading to information disclosure, port scanning, or interaction with sensitive internal APIs. Implement strict validation for the `--api-url` argument to ensure it only points to `http://127.0.0.1:1234` or other explicitly allowed local/internal endpoints. Disallow arbitrary external URLs. | LLM | scripts/lmstudio-api.mjs:19 | |
| INFO | Access to `LM_STUDIO_API_URL` environment variable The scripts read the `LM_STUDIO_API_URL` environment variable to determine the LM Studio API endpoint. While this specific variable is typically not sensitive, accessing environment variables in general can be a vector for data exfiltration if sensitive credentials or configuration are stored in them and then used in conjunction with an SSRF vulnerability or logging. This is noted for transparency. Ensure that no sensitive credentials or private information are stored in environment variables that are accessible to skills. If `LM_STUDIO_API_URL` could ever contain sensitive data, consider encrypting it or using a secure secrets management system. | LLM | scripts/lmstudio-api.mjs:8 |
Scan History
Embed Code
[](https://skillshield.io/report/83c97d2d1bb8c8fb)
Powered by SkillShield