Trust Assessment
lulu-monitor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 5 critical, 3 high, 2 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Persistence mechanism: macOS LaunchAgent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/getmolty/lulu-monitorl/SKILL.md:110 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/getmolty/lulu-monitorl/SKILL.md:111 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/getmolty/lulu-monitorl/SKILL.md:71 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/getmolty/lulu-monitorl/SKILL.md:88 | |
| CRITICAL | Potential Command Injection in local callback endpoint The skill exposes a local HTTP endpoint (`http://127.0.0.1:4441/callback`) that processes user-controlled input from Telegram callbacks, specifically an `action` parameter (e.g., "allow", "block"). The skill's description indicates that this `action` parameter is used to "Click the appropriate button on LuLu alert" and perform other actions. It is highly probable that these actions are implemented by constructing and executing `osascript` commands or shell commands where the `action` value is directly interpolated. Without proper sanitization of the `action` parameter, a malicious user could craft a callback payload to inject arbitrary commands, leading to remote code execution on the user's macOS system, especially given the skill's requirement for Accessibility permissions. Implement strict input validation and sanitization for the `action` parameter within the callback handler. Only allow a predefined whitelist of expected action values (e.g., "allow", "block", "allow-once", "block-once"). Avoid direct string interpolation of user input into shell commands or `osascript` calls; if dynamic command construction is necessary, use parameterized commands or escape all user-provided data rigorously. | LLM | SKILL.md:89 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/getmolty/lulu-monitorl/SKILL.md:110 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/getmolty/lulu-monitorl/SKILL.md:111 | |
| HIGH | Skill requires broad Accessibility permissions The skill explicitly instructs the user to grant Accessibility permissions to `Terminal/osascript`. This allows the skill to programmatically control other applications' user interfaces, including LuLu Firewall. While this permission is required for the skill's core functionality (e.g., clicking buttons in LuLu alerts), it represents a high-risk permission. If the skill's underlying code is compromised or contains a command injection vulnerability, an attacker could leverage these permissions to perform arbitrary actions on the user's macOS system, potentially bypassing security controls or exfiltrating sensitive data by interacting with other applications. Ensure all `osascript` calls within the skill's code are meticulously sanitized and only perform the absolute minimum required actions. Explore alternative, less privileged APIs for interacting with LuLu if available, or consider sandboxing the `osascript` execution. Clearly document the implications of this permission to the user. | LLM | SKILL.md:55 | |
| MEDIUM | Execution of uninspected shell scripts during installation/uninstallation The skill's installation and uninstallation procedures involve executing several shell scripts (`scripts/check-prerequisites.sh`, `scripts/install.sh`, `scripts/uninstall.sh`). The content of these scripts is not provided in the analysis context. These scripts could potentially contain malicious commands, insecure configurations, or introduce vulnerabilities (e.g., downloading unverified binaries, executing commands with excessive privileges, or being susceptible to command injection themselves). Without inspection of their source code, there's an inherent supply chain risk associated with their execution. Provide the source code for all executed scripts (`check-prerequisites.sh`, `install.sh`, `uninstall.sh`) for security review. Ensure scripts are minimal, idempotent, and only perform necessary actions. Avoid downloading external resources without integrity checks. Pin versions of any tools or packages installed by the scripts. | LLM | SKILL.md:48 | |
| MEDIUM | Unverified npm dependencies The installation process includes "Install npm dependencies", indicating that the skill relies on Node.js packages defined in a `package.json` file. This `package.json` file was not provided for analysis. Without access to the dependency list, it's impossible to assess potential supply chain risks such as unpinned dependencies (allowing for unexpected version updates with breaking changes or vulnerabilities), known vulnerabilities in declared packages, or the presence of malicious or typosquatted packages. Provide the `package.json` file for analysis. Pin all dependencies to exact versions. Regularly audit dependencies for known vulnerabilities using tools like `npm audit`. Consider using a dependency lock file (`package-lock.json`) and committing it to version control. | LLM | SKILL.md:65 |
Scan History
Embed Code
[](https://skillshield.io/report/b0fa9208a2da8b22)
Powered by SkillShield