Trust Assessment
monzo received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 3 critical, 0 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Command Injection via user-controlled file path in 'receipt.sh', Command Injection via unescaped metadata key in 'transactions.sh'.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via user-controlled file path in 'receipt.sh' The `scripts/receipt.sh` script uses `cat "$JSON_FILE"` to read receipt data from a file. The `$JSON_FILE` variable is directly controlled by user input via the `--json` argument. An attacker can provide a malicious file path (e.g., `/etc/passwd`, `~/.openclaw/credentials/monzo.json`) to exfiltrate sensitive data, or a path containing shell metacharacters (e.g., `$(ls -la)`) to execute arbitrary commands. Sanitize or validate the `$JSON_FILE` input to ensure it is a safe, expected file path and does not contain shell metacharacters. A safer approach would be to use `read -r` with a file descriptor or a language-specific JSON parser that doesn't involve shell execution of `cat` on an untrusted path. | LLM | scripts/receipt.sh:110 | |
| CRITICAL | Command Injection via unescaped metadata key in 'transactions.sh' The `scripts/transactions.sh` script allows users to annotate transactions using `--annotate KEY=VALUE`. The `ANNOTATE_KEY` is directly interpolated into a `curl -d` argument as `-d "metadata[$ANNOTATE_KEY]=$ANNOTATE_VALUE"`. If `ANNOTATE_KEY` contains shell metacharacters (e.g., `foo]; rm -rf /; #`), it can break out of the `curl` argument and lead to arbitrary command execution on the host system. Ensure that user-provided keys and values for `curl -d` arguments are properly shell-escaped before being passed to `curl`. For example, use `printf %q` or a dedicated shell escaping function for each component of the `-d` argument. | LLM | scripts/transactions.sh:90 | |
| CRITICAL | Command Injection via user-controlled date string in 'monzo_parse_date' The `monzo_parse_date` function in `scripts/lib/monzo.sh` uses `date -d "$1"` where `$1` is directly derived from user input (e.g., `--since` or `--before` arguments in `transactions.sh`). An attacker can inject shell metacharacters into the date string (e.g., `7d; rm -rf /`) to execute arbitrary commands on the host system. Validate and sanitize date inputs before passing them to the `date` command. Ensure the input strictly conforms to expected date formats and does not contain any shell metacharacters. Consider using a more robust date parsing library or a whitelist of allowed date formats/relative terms. | LLM | scripts/lib/monzo.sh:250 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/rhesketh/monzo/scripts/lib/monzo.sh:9 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/rhesketh/monzo/scripts/setup.sh:18 |
Scan History
Embed Code
[](https://skillshield.io/report/a085d5a25fa8867d)
Powered by SkillShield