Trust Assessment
lulu-monitor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 22 findings: 12 critical, 5 high, 5 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Persistence mechanism: macOS LaunchAgent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings22
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/easonc13/lulu-monitor/SKILL.md:108 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/easonc13/lulu-monitor/SKILL.md:109 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/easonc13/lulu-monitor/scripts/configure.sh:39 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/easonc13/lulu-monitor/scripts/configure.sh:40 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/easonc13/lulu-monitor/scripts/install.sh:80 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/easonc13/lulu-monitor/SKILL.md:69 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/easonc13/lulu-monitor/SKILL.md:86 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/easonc13/lulu-monitor/scripts/check-prerequisites.sh:51 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/easonc13/lulu-monitor/scripts/check-prerequisites.sh:58 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/easonc13/lulu-monitor/scripts/install.sh:84 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/easonc13/lulu-monitor/scripts/install.sh:89 | |
| CRITICAL | Command Injection via Unquoted Heredoc in Configuration Script The `scripts/configure.sh` script uses an unquoted `EOF` delimiter in a heredoc when writing to `config.json`. This allows shell variable expansion within the heredoc. If a user provides input for `NEW_TG_ID` that contains shell command substitutions (e.g., `$(command)`), those commands will be executed during the `cat` operation, leading to arbitrary command execution. Quote the `EOF` delimiter in the heredoc (e.g., `cat > "$CONFIG_FILE" << 'EOF'`) to prevent shell variable expansion. Alternatively, use a safer method for JSON manipulation, such as `jq`, or escape the user input before embedding it in the JSON string. | LLM | scripts/configure.sh:26 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/easonc13/lulu-monitor/SKILL.md:108 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/easonc13/lulu-monitor/SKILL.md:109 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/easonc13/lulu-monitor/scripts/configure.sh:39 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/easonc13/lulu-monitor/scripts/configure.sh:40 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/easonc13/lulu-monitor/scripts/install.sh:80 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/easonc13/lulu-monitor/scripts/check-prerequisites.sh:55 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/easonc13/lulu-monitor/scripts/configure.sh:4 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/easonc13/lulu-monitor/scripts/install.sh:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/easonc13/lulu-monitor/scripts/uninstall.sh:6 | |
| MEDIUM | Supply Chain Risk via `npm install` The `scripts/install.sh` script executes `npm install --production`. This command fetches and installs dependencies defined in the `package.json` file, which is part of the untrusted skill package. If the `package.json` contains malicious or vulnerable packages, or if dependencies are not pinned to exact versions, it introduces a supply chain risk, potentially leading to the execution of arbitrary code or the introduction of known vulnerabilities. Ensure all dependencies in `package.json` are pinned to exact versions. If a `package-lock.json` is available and trusted, use `npm ci` instead of `npm install` for deterministic installations. Regularly audit dependencies for known vulnerabilities using `npm audit` or similar tools. Review the `package.json` and `package-lock.json` for any suspicious or overly broad dependencies. | LLM | scripts/install.sh:30 |
Scan History
Embed Code
[](https://skillshield.io/report/0a215c8a21fd2069)
Powered by SkillShield