Trust Assessment
manus received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 8 findings: 3 critical, 5 high, 0 medium, and 0 low severity. Key findings include Unescaped JSON field in `curl -d` allows command injection, Unescaped `task_id` in URL allows command injection, Unescaped `output_dir` in `mkdir` allows arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unescaped `output_dir` in `mkdir` allows arbitrary command execution The `output_dir` variable, which can be user-provided, is directly used in a `mkdir -p "$output_dir"` command. An attacker can inject shell metacharacters (e.g., `;`, `$(command)`, `&&`) into the `output_dir` argument to execute arbitrary commands on the system. Validate the `output_dir` to ensure it is a safe path (e.g., only alphanumeric characters, slashes, dots) or escape any shell metacharacters. Consider using a more robust path manipulation library if available. | LLM | scripts/manus.sh:76 | |
| CRITICAL | Unvalidated data written to `TASK_LIST` leads to command injection The `save` action writes user-provided `task_id` and `description` directly to `TASK_LIST` using pipe delimiters. If `task_id` or `description` contain pipe characters (`|`) or shell metacharacters (e.g., `$(command)`), they can shift the fields when read later, leading to command injection. Specifically, a malicious `task_id` like `malicious_id|$(rm -rf /)` would cause `$(rm -rf /)` to be interpreted as the `timestamp` field, leading to execution when `TASK_LIST` is processed by actions like `saved` or `manus-monitor.sh`. This also applies to the `refresh` action writing `status` and `title` from the API. Sanitize all fields (`task_id`, `description`, `status`, `title`) to remove or escape pipe characters and shell metacharacters before writing to `TASK_LIST`. A more robust solution would be to use a structured data format like JSON for `TASK_LIST` and parse it with `jq`. | LLM | scripts/manus.sh:119 | |
| CRITICAL | Unvalidated `timestamp` from `TASK_LIST` leads to command injection The `saved` action reads `timestamp` from `TASK_LIST` and directly uses it in `date -d "@$timestamp"`. Due to the vulnerability in writing to `TASK_LIST` (Finding 6), a malicious `task_id` or `description` containing pipe characters can cause a shell command to be interpreted as the `timestamp` value. This leads to arbitrary command execution when `date` attempts to parse the malicious `timestamp`. Implement robust validation and sanitization of all fields when writing to `TASK_LIST` (as per Finding 6). Additionally, validate `timestamp` to be a numeric value before passing it to `date`. | LLM | scripts/manus.sh:136 | |
| HIGH | Unescaped JSON field in `curl -d` allows command injection The `profile` variable, which can be user-provided, is directly embedded into a JSON string within a `curl -d` command without proper JSON escaping. An attacker can inject arbitrary JSON keys/values or break out of the JSON string to inject shell commands by providing a `profile` value containing double quotes or other JSON/shell metacharacters. JSON-escape the `$profile` variable before embedding it in the `curl -d` command. For example, use `$(echo "$profile" | jq -Rs .)` similar to how `$prompt` is handled. | LLM | scripts/manus.sh:26 | |
| HIGH | Unescaped `task_id` in URL allows command injection The `task_id` variable, which can be user-provided, is directly concatenated into the `curl` request URL without URL encoding. An attacker can inject shell metacharacters (e.g., `$(command)`, `;`, `&`) into the `task_id` to execute arbitrary commands. This vulnerability affects `get`, `status`, `wait`, `files`, and `download` actions. URL-encode the `$task_id` variable before embedding it in the URL. For example, use `$(printf %s "$task_id" | xxd -plain | sed 's/\(..\)/%\1/g')` or a similar URL encoding utility. | LLM | scripts/manus.sh:33 | |
| HIGH | Unvalidated `fileUrl` allows local file exfiltration The `download` action fetches files from a `fileUrl` provided by the Manus API. If the Manus API is compromised or returns a malicious URL (e.g., `file:///etc/passwd` or `ftp://malicious.com/sensitive_data`), `curl` could be tricked into downloading local system files or exfiltrating data to an external server. Validate the `$url` to ensure it uses expected schemes (e.g., `http://` or `https://`) and ideally restrict it to known, trusted domains. | LLM | scripts/manus.sh:85 | |
| HIGH | Unescaped `task_id` in `grep` pattern allows command injection The `task_id` variable, which can be user-provided, is directly used as part of the pattern in a `grep -q "^$task_id|"` command. An attacker can inject shell metacharacters (e.g., `$(command)`) into `task_id` to execute arbitrary commands. Use `grep -F -q` for fixed string matching to prevent interpretation of `task_id` as a regular expression, and escape any shell metacharacters if `task_id` is still directly embedded. | LLM | scripts/manus.sh:112 | |
| HIGH | Unescaped `message` in `curl -d` for Telegram allows command injection The `message` variable, which includes user-provided `task_id` and `description` (from `TASK_LIST`), is directly embedded into a `curl -d "text=${message}"` command without proper shell escaping. An attacker can inject double quotes or other shell metacharacters into `task_id` or `description` (via `manus.sh save`) to break out of the `text` argument and inject arbitrary arguments to `curl` or subsequent shell commands. Properly escape the `$message` variable for shell context before embedding it in the `curl -d` command. For `application/x-www-form-urlencoded` content, URL-encode the value. Ensure that `task_id` and `description` are sanitized when written to `TASK_LIST` (as per Finding 6) to prevent malicious content from reaching this point. | LLM | scripts/manus-monitor.sh:40 |
Scan History
Embed Code
[](https://skillshield.io/report/d51afb37557ba98b)
Powered by SkillShield