Trust Assessment
media-orchestrator received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 7 critical, 5 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Unsanitized user input 'query' passed to 'spotify_surface.py'.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/sieershafilone/media-orchestrator/scripts/orchestrator.py:16 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/sieershafilone/media-orchestrator/scripts/orchestrator.py:29 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/sieershafilone/media-orchestrator/scripts/orchestrator.py:79 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/sieershafilone/media-orchestrator/scripts/orchestrator.py:112 | |
| CRITICAL | Unsanitized user input 'query' passed to 'spotify_surface.py' The 'query' variable, which originates from untrusted user input, is directly passed as an argument to 'python3' executing 'spotify_surface.py' via 'subprocess.run'. This allows an attacker to inject arbitrary shell commands by crafting a malicious 'query' string (e.g., "; rm -rf /"), leading to arbitrary code execution on the host system. Sanitize the 'query' input using `shlex.quote()` before passing it as a command-line argument, or ideally, pass data via environment variables or temporary files rather than directly on the command line for sensitive inputs. Ensure 'spotify_surface.py' also validates its arguments. | LLM | scripts/orchestrator.py:28 | |
| CRITICAL | Unsanitized user input 'query' passed to 'yt-dlp' The 'query' variable, originating from untrusted user input, is directly embedded into the 'yt-dlp' command as 'ytsearch1:{query}'. While 'yt-dlp' is generally robust, certain crafted inputs (e.g., containing '--exec' or other command-line options) could potentially bypass 'ytsearch1:' and lead to arbitrary command execution or other malicious actions by 'yt-dlp' itself. This is a known attack vector for tools that parse complex command-line arguments from user input. Thoroughly sanitize the 'query' input before passing it to 'yt-dlp'. If possible, use 'yt-dlp''s Python API directly instead of 'subprocess.run' to avoid shell injection risks. If 'subprocess.run' is necessary, ensure 'query' is strictly validated to contain only expected search terms and does not contain any characters that could be interpreted as 'yt-dlp' command-line options or shell metacharacters. Consider using `shlex.quote()` if the argument must be a single string. | LLM | scripts/orchestrator.py:69 | |
| CRITICAL | Unsanitized user input 'chat_target' passed to 'openclaw message send' The 'chat_target' variable, which is derived from untrusted user input, is directly passed as an argument to the 'openclaw message send' command via 'subprocess.run'. An attacker could inject arbitrary shell commands or additional 'openclaw' arguments by crafting a malicious 'chat_target' string (e.g., "+1234567890 --channel telegram --target evil_user" or "+1234567890; rm -rf /"), leading to arbitrary command execution or manipulation of the 'openclaw' messaging system. Sanitize the 'chat_target' input using `shlex.quote()` before passing it to 'subprocess.run'. Validate 'chat_target' to ensure it strictly conforms to expected formats (e.g., phone number for WhatsApp, user ID for Telegram) and does not contain any shell metacharacters or unexpected command-line options. | LLM | scripts/orchestrator.py:90 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/sieershafilone/media-orchestrator/scripts/orchestrator.py:79 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'message_user'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/sieershafilone/media-orchestrator/scripts/orchestrator.py:112 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/sieershafilone/media-orchestrator/scripts/orchestrator.py:16 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/sieershafilone/media-orchestrator/scripts/orchestrator.py:29 | |
| HIGH | Potential data exfiltration through manipulated 'chat_target' In conjunction with the command injection vulnerability in the 'message_user' function, a malicious 'chat_target' could be crafted to redirect the 'openclaw message send' command to an attacker-controlled endpoint or service. Since the 'file_path' of the downloaded media is passed to this command, this could lead to the exfiltration of sensitive or private media files from the agent's workspace. Implement robust sanitization and validation for the 'chat_target' variable to prevent command injection. Ensure that 'chat_target' can only specify legitimate messaging recipients and cannot be manipulated to redirect file uploads to arbitrary destinations. | LLM | scripts/orchestrator.py:90 |
Scan History
Embed Code
[](https://skillshield.io/report/f19e5781ca9e3434)
Powered by SkillShield