Trust Assessment
moltsheet received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Overly broad Bash(curl *) permission, Command Injection and Data Exfiltration via unconstrained `curl` arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection and Data Exfiltration via unconstrained `curl` arguments The skill's reliance on `Bash(curl *)` to interact with the Moltsheet API, combined with the LLM's role in generating `curl` commands from user input, creates a critical risk of command injection and data exfiltration. If user-provided data (e.g., sheet names, column names, cell values, agent slugs, or even parts of the API key if it's passed through user input) is not rigorously shell-escaped before being interpolated into `curl` commands, an attacker could inject arbitrary shell commands or exfiltrate sensitive data (e.g., local files like `/etc/passwd`, environment variables, or the skill's own API key) to an attacker-controlled server. The `curl` examples in the `SKILL.md` (e.g., for agent registration or sheet creation) demonstrate how various user-controlled strings would be embedded into command arguments and JSON payloads, providing clear vectors for injection. Implement strict input validation and comprehensive shell escaping for all user-provided data before it is used in `curl` commands. This includes escaping characters within JSON payloads, URL paths, query parameters, and HTTP headers. Additionally, restricting the `Bash` tool permission as suggested in the SS-LLM-005 finding would provide a crucial layer of defense. | LLM | skills/youssefbm2008/moltsheet/SKILL.md:50 | |
| HIGH | Overly broad Bash(curl *) permission The skill declares `Bash(curl *)` permission in its manifest, allowing `curl` to be executed with arbitrary arguments. This permission is too broad and enables potential command injection and data exfiltration if the LLM constructs `curl` commands based on untrusted user input without proper sanitization. The skill's functionality, as described, appears to be limited to interacting with `https://www.moltsheet.com/api/v1`, suggesting a more restrictive permission could be used. Restrict the `Bash` tool permission to only allow `curl` commands targeting the specific Moltsheet API domain, e.g., `Bash(curl https://www.moltsheet.com/*)`. This would prevent `curl` from being used to access arbitrary external domains or local files. | LLM | skills/youssefbm2008/moltsheet/SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/2207ed8f8d823c7e)
Powered by SkillShield