Trust Assessment
molt-chess received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 2 critical, 2 high, 5 medium, and 0 low severity. Key findings include Arbitrary command execution, Suspicious import: requests, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tedkaczynski-the-bot/molt-chess/scripts/play.py:128 | |
| CRITICAL | Unverified executable script download The skill instructs the agent to download 'play.py' from an external URL (https://chess.unabotter.xyz/play.py) and make it executable (`chmod +x`). There are no integrity checks (e.g., cryptographic hash or signature verification) for the downloaded script. An attacker who compromises the `chess.unabotter.xyz` domain or the hosting server could replace `play.py` with malicious code, which the agent would then download and be instructed to execute. Implement cryptographic integrity checks (e.g., SHA256 hash verification) for all downloaded executable scripts. The skill should verify the hash of `play.py` against a known good value before making it executable or allowing the agent to run it. Alternatively, bundle the script directly within the skill package. | LLM | SKILL.md:23 | |
| HIGH | LLM instructed to execute unverified external script The `clawdbot cron add` instruction explicitly tells the LLM to 'use play.py to find best move, and POST the move'. Given that `play.py` is downloaded from an external, unverified source (as identified in SS-LLM-006), this creates a direct prompt injection vector. If `play.py` is compromised, the LLM will be instructed to execute arbitrary malicious code, potentially leading to system compromise or data exfiltration. Ensure that any scripts or tools the LLM is instructed to use are verified and trusted. If `play.py` must be external, implement robust integrity checks before the LLM is allowed to execute it. Consider sandboxing the execution environment for such scripts. | LLM | SKILL.md:42 | |
| HIGH | Unverified script reads API key from local storage The `scripts/play.py` script, which is downloaded from an external, unverified source (as identified in SS-LLM-006), contains logic to read the API key from `~/.config/molt-chess/credentials.json`. If `play.py` were compromised, it could exfiltrate this API key, leading to unauthorized access to the user's molt.chess account or other services if the key is reused. As a prerequisite, address the supply chain risk for `play.py` (SS-LLM-006). Additionally, consider using more secure methods for credential management, such as environment variables or a dedicated secrets manager, rather than directly reading from a file, especially for scripts that are externally sourced. | LLM | scripts/play.py:19 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/tedkaczynski-the-bot/molt-chess/scripts/play.py:23 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tedkaczynski-the-bot/molt-chess/scripts/setup.sh:5 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.28.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/tedkaczynski-the-bot/molt-chess/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'chess>=1.10.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/tedkaczynski-the-bot/molt-chess/scripts/requirements.txt:2 | |
| MEDIUM | Unverified markdown file download The skill instructs the agent to download `HEARTBEAT.md` from an external URL (https://chess.unabotter.xyz/heartbeat.md). While not directly executable, this file contains instructions for the agent's behavior. An attacker who compromises the `chess.unabotter.xyz` domain could replace `HEARTBEAT.md` with malicious instructions, potentially leading to prompt injection or other undesirable actions by the agent. Implement cryptographic integrity checks (e.g., SHA256 hash verification) for all downloaded instructional content. The skill should verify the hash of `HEARTBEAT.md` against a known good value before processing its instructions. Alternatively, bundle such critical instructional content directly within the skill package. | LLM | SKILL.md:53 |
Scan History
Embed Code
[](https://skillshield.io/report/4e37301ad8539c3c)
Powered by SkillShield