Trust Assessment
loom-workflow received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 6 critical, 6 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Prompt Injection via Untrusted Transcript/Frame Data.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/g9pedro/loom-workflow/scripts/smart-extract.py:38 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/g9pedro/loom-workflow/scripts/smart-extract.py:45 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/g9pedro/loom-workflow/scripts/smart-extract.py:74 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/g9pedro/loom-workflow/scripts/smart-extract.py:93 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/g9pedro/loom-workflow/scripts/smart-extract.py:190 | |
| CRITICAL | Prompt Injection via Untrusted Transcript/Frame Data The `analyze_frame_batch` and `generate_analysis_prompt` functions construct prompts for a multimodal LLM by directly embedding `transcript_context`, `frame['reason']`, and `frame.get('transcript')` using f-strings. These values are derived from untrusted video content (audio transcription and visual analysis reasons). An attacker could embed malicious instructions within the video's audio or visual elements, which would then be transcribed/extracted and directly injected into the LLM's prompt, potentially manipulating its behavior or extracting sensitive information. Sanitize or escape all untrusted input before embedding it into LLM prompts. Consider using structured input formats or dedicated prompt templating libraries that enforce strict separation between instructions and user-provided data. Implement input validation and content filtering for transcribed text and extracted frame reasons. | LLM | scripts/analyze-workflow.py:60 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_whisper'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/g9pedro/loom-workflow/scripts/smart-extract.py:38 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_whisper'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/g9pedro/loom-workflow/scripts/smart-extract.py:45 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'detect_scene_changes'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/g9pedro/loom-workflow/scripts/smart-extract.py:74 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'extract_frame'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/g9pedro/loom-workflow/scripts/smart-extract.py:93 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_video_duration'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/g9pedro/loom-workflow/scripts/smart-extract.py:190 | |
| HIGH | Command Injection via Generated Lobster Workflow Commands The `generate_lobster_workflow` function constructs shell commands (`openclaw.invoke`, `gog.gmail.list`, `echo`) that are embedded into a Lobster workflow file. Arguments to these commands, such as `ui_element`, `action`, `input`, and `url`, are derived directly from the untrusted analysis of the video content. When the generated Lobster workflow is executed by an orchestrator, these commands will be run. If the untrusted data contains shell metacharacters (e.g., `;`, `|`, `&`, `$()`), an attacker could inject arbitrary commands to be executed on the system running the orchestrator. Although `args-json` is used, the values within the JSON itself could still be malicious if not properly sanitized by the orchestrator or the invoked tools. Implement strict sanitization and validation of all untrusted data (`ui_element`, `action`, `input`, `url`, `email_params`) before embedding it into generated shell commands. Ensure that the orchestrator executing the Lobster workflow properly quotes and escapes all arguments to external commands, or preferably, uses a safer execution mechanism that does not involve shell interpretation. Consider using a whitelist approach for allowed actions and tool parameters. | LLM | scripts/generate-lobster.py:62 | |
| MEDIUM | Command Injection via Untrusted File Paths in Subprocess Calls The `run_whisper`, `detect_scene_changes`, and `extract_frame` functions in `smart-extract.py` execute external commands (`ffmpeg`, `whisper`) using `subprocess.run`. The `video_path` and `output_dir` arguments passed to these commands originate from untrusted user input (the Loom URL). While `subprocess.run` is called with `shell=False` (default), which mitigates direct shell metacharacter injection, a maliciously crafted `video_path` or `output_dir` could potentially exploit vulnerabilities in how `ffmpeg` or `whisper` parse their arguments, or lead to unexpected file system interactions if the path contains special characters that are not properly handled by the external tools. Ensure all file paths derived from untrusted input are strictly validated and sanitized. Canonicalize paths to prevent directory traversal. Consider using a dedicated library for interacting with `ffmpeg` and `whisper` that provides stronger input validation and argument escaping, or implement robust input validation to ensure paths only contain safe characters. | LLM | scripts/smart-extract.py:40 |
Scan History
Embed Code
[](https://skillshield.io/report/f56ac63508018f5a)
Powered by SkillShield