Trust Assessment
MoltiumV2 received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 3 critical, 1 high, 0 medium, and 0 low severity. Key findings include Untrusted Code Download and Execution via Environment Variable, Execution of Untrusted `npm install` Scripts, Execution of Untrusted Downloaded Scripts.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted Code Download and Execution via Environment Variable The skill downloads a skillpack archive from a URL specified by the `MOLTIUMV2_BASE_URL` environment variable. If an attacker can control this variable, they can point the skill to a malicious server, causing it to download and execute arbitrary code. This is a direct supply chain vulnerability leading to arbitrary command injection. Pin the `BASE_URL` to a trusted, immutable source. If dynamic updates are required, implement strong cryptographic verification (e.g., hash checking, digital signatures) of the downloaded content before execution. Avoid allowing environment variables to dictate critical download sources for executable code. | LLM | scripts/bootstrap.mjs:16 | |
| CRITICAL | Execution of Untrusted `npm install` Scripts After downloading and extracting the skillpack from a potentially untrusted source, the script executes `npm install` within the extracted directory (`TARGET_DIR`). `npm install` can execute arbitrary code via `preinstall`, `install`, or `postinstall` scripts defined in the `package.json` of the downloaded package. This allows for arbitrary command injection from untrusted content. Do not run `npm install` on untrusted or unverified code. If the skillpack must be installed this way, implement strict sandboxing for the `npm install` process or perform a thorough static analysis of the `package.json` and its dependencies for malicious scripts before execution. | LLM | scripts/bootstrap.mjs:70 | |
| CRITICAL | Execution of Untrusted Downloaded Scripts The script directly executes `ctl.mjs` from the downloaded and extracted skillpack using `node`. Since the skillpack itself is downloaded from a potentially untrusted source (controlled by `MOLTIUMV2_BASE_URL`), this allows for the execution of arbitrary malicious JavaScript code. Avoid executing scripts downloaded from untrusted sources. If execution is necessary, ensure the source is cryptographically verified and the script is thoroughly audited for malicious content, or execute it within a highly isolated and sandboxed environment. | LLM | scripts/bootstrap.mjs:73 | |
| HIGH | Arbitrary File System Write via User-Controlled Target Directory and Untrusted Archive The `TARGET_DIR` for extraction is controlled by the `MOLTIUMV2_DIR` environment variable. While `spawnSync` uses `shell: false`, a malicious `TARGET_DIR` (e.g., containing path traversal sequences like `../../`) combined with the `tar` extraction of an untrusted archive could lead to files being written outside the intended skill directory. Additionally, the `tar` command itself, when extracting a malicious archive, can write files to arbitrary locations if the archive contains path traversal entries. Sanitize `MOLTIUMV2_DIR` to ensure it's a simple, relative directory name without path separators. Use a robust tar extraction library that explicitly prevents path traversal vulnerabilities, or implement strict validation of archive contents before extraction. | LLM | scripts/bootstrap.mjs:17 |
Scan History
Embed Code
[](https://skillshield.io/report/a71b98d297ab09b7)
Powered by SkillShield