Trust Assessment
lygo-mint-verifier received a trust score of 41/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Arbitrary file read and exfiltration via path traversal in pack argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/deepseekoracle/lygo-mint-verifier/scripts/mint_pack_local.py:36 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_py'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/deepseekoracle/lygo-mint-verifier/scripts/mint_pack_local.py:36 | |
| HIGH | Arbitrary file read and exfiltration via path traversal in pack argument The `scripts/mint_pack_local.py` script accepts a `--pack` argument which is intended to specify a pack file. The path resolution logic (`(ROOT / args.pack).resolve()` and `Path(args.pack).resolve()`) allows for path traversal sequences (e.g., `../../../../etc/passwd`). The resolved `pack_path` is then passed as an argument to an external tool (`tools/lygo_mint/mint_pack.py`) via `subprocess.run`. The standard output (`proc.stdout`) of this external tool is captured. If this output is not valid JSON, it is stored directly as raw text in the `state/lygo_mint_ledger.jsonl` file. An attacker could provide a path traversal sequence in the `--pack` argument to point to a sensitive file (e.g., `/etc/passwd`). If `mint_pack.py` reads this sensitive file and prints its content to stdout (e.g., because it's not a valid pack format), the content of the sensitive file would be written into the local ledger file, effectively exfiltrating it within the workspace. 1. **Input Validation**: Implement strict validation for the `--pack` argument to prevent path traversal. Ensure the path does not contain `..` segments and is confined to an expected, non-sensitive directory (e.g., `reference/`). 2. **Path Confinement**: After resolving `pack_path`, explicitly verify that it is a child of a designated safe directory (e.g., `ROOT / 'reference'`) before proceeding. 3. **Sanitize/Validate External Tool Output**: Before writing `proc.stdout` to the ledger, ensure its content is expected and does not contain sensitive information, especially if it's not valid JSON. The `mint_pack.py` tool itself should be hardened to only output structured data and handle errors gracefully without dumping arbitrary file contents. | LLM | scripts/mint_pack_local.py:60 |
Scan History
Embed Code
[](https://skillshield.io/report/a17cb7d7505d3f43)
Powered by SkillShield