Trust Assessment
moonbanking received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unsanitized user input in `curl` and `jq` commands, API key vulnerable to exfiltration through command injection, Broad shell execution capabilities via `curl` and `jq`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsanitized user input in `curl` and `jq` commands The skill explicitly instructs the LLM to use `exec` with `curl` and `jq` for API interactions. User-controlled inputs such as `ENDPOINT`, `param`, `value`, `search`, `sortBy`, `hostname`, `id`, `q`, and `jq` filters are directly interpolated into shell commands without apparent sanitization. This allows an attacker to inject arbitrary shell commands by crafting malicious input values, leading to remote code execution on the host system. The manifest confirms the requirement for `curl` and `jq` binaries, indicating an intent for shell execution. Implement robust input sanitization and shell escaping for all user-provided parameters before constructing and executing `curl` and `jq` commands. Prefer using a dedicated HTTP client library that handles URL construction and parameterization safely, rather than direct shell command string concatenation. If shell execution is unavoidable, use `shlex.quote` or similar functions to properly escape arguments. | LLM | SKILL.md:30 | |
| HIGH | API key vulnerable to exfiltration through command injection The `MOON_BANKING_API_KEY` is directly included in the `Authorization` header of `curl` commands. Due to the command injection vulnerability (SS-LLM-003), an attacker could manipulate user-controlled parameters (e.g., `ENDPOINT`, query parameters) to craft a malicious `curl` command that sends the `MOON_BANKING_API_KEY` to an external, attacker-controlled server. This could lead to unauthorized access to the Moon Banking API. The primary remediation is to address the underlying command injection vulnerability (SS-LLM-003). By preventing arbitrary command execution, the risk of exfiltrating the API key is mitigated. Ensure that the API key is never directly exposed in user-controlled parts of the command string, and that all inputs are properly sanitized. | LLM | SKILL.md:30 | |
| MEDIUM | Broad shell execution capabilities via `curl` and `jq` The skill's manifest explicitly requires `curl` and `jq` binaries, and the `SKILL.md` instructs the LLM to use `exec` for arbitrary shell command execution. This grants the AI agent broad permissions to execute external programs and interact with the operating system's network and potentially filesystem, which is excessive for a skill primarily designed to query an external API. This broad capability, especially when combined with command injection vulnerabilities, significantly increases the attack surface. Re-evaluate the necessity of direct `exec` calls for API interaction. If possible, use a more constrained and secure method for making HTTP requests, such as a dedicated HTTP client within a sandboxed environment, that does not expose raw shell execution to user-controlled inputs. If `exec` is strictly required, ensure the execution environment is heavily sandboxed and that all commands are constructed with extreme care and rigorous input validation/sanitization. | LLM | SKILL.md:25 |
Scan History
Embed Code
[](https://skillshield.io/report/70a4a6df24b29f03)
Powered by SkillShield