Trust Assessment
ms-onedrive-personal-graph received a trust score of 37/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 0 critical, 2 high, 6 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER, Overly broad OAuth scope requested.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | User input directly interpolated into shell command for config file creation The `CLIENT_ID` and `CLIENT_SECRET` variables, which are obtained directly from user input, are interpolated into a `cat <<EOF` command to create `config.json`. If a malicious user provides input containing shell metacharacters (e.g., `$(command)` or backticks), these could be executed by the shell before `cat` receives its input, leading to arbitrary command execution. Use a safer method to write user-provided data to a file, such as `printf "%s" "$CLIENT_ID" > file` or using a templating engine that properly escapes variables. For JSON, construct the JSON string using `jq` or a Python script to ensure proper escaping. Example: `jq -n --arg id "$CLIENT_ID" --arg secret "$CLIENT_SECRET" '{client_id: $id, client_secret: $secret}' > "$CONFIG_FILE"`. | LLM | scripts/onedrive-setup.sh:50 | |
| HIGH | User-provided output path vulnerable to command injection The `download` command takes a user-provided output file path (`$OUT`) and directly uses it in `curl -o "$OUT"`. If `$OUT` contains shell metacharacters (e.g., `;`, `|`, `&`, `$(...)`), these characters will be interpreted by the shell, allowing for arbitrary command execution. For example, `download "/file.txt" "; rm -rf /"` would attempt to delete the root directory. Sanitize the `$OUT` variable to ensure it only contains valid filename characters, or use a method that explicitly prevents shell interpretation of the filename. For example, use `install -D /dev/stdin "$OUT"` and pipe the curl output to it, or ensure the shell is invoked with `set -f` (globbing disabled) and `set -o noglob` (pathname expansion disabled) before using `$OUT` in a context where it could be expanded. The most robust solution is to avoid direct shell expansion of untrusted filenames. | LLM | scripts/onedrive-cli.sh:130 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/cesarus85/ms-onedrive-personal/scripts/onedrive-cli.sh:4 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/cesarus85/ms-onedrive-personal/scripts/onedrive-setup.sh:4 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/cesarus85/ms-onedrive-personal/scripts/onedrive-setup.sh:89 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/cesarus85/ms-onedrive-personal/scripts/onedrive-token.sh:4 | |
| MEDIUM | Overly broad OAuth scope requested The skill requests the `Files.ReadWrite` OAuth scope, which grants permissions to read, create, update, and delete all files the user can access. However, the skill's documentation explicitly states "No delete operations (by design)". This discrepancy means the skill has more permissions than it claims to use, creating a potential attack surface if a malicious actor were to modify the skill's code to exploit these permissions. Reduce the requested OAuth scope to `Files.Read` or `Files.ReadWrite.AppFolder` if applicable, or `Files.ReadWrite.All` if the skill truly needs to modify all files and the "no delete" claim is just a current implementation detail. If `Files.ReadWrite` is genuinely needed for other operations (like upload/mkdir), clarify the "no delete" statement to indicate it's a current implementation choice, not a permission restriction. | LLM | scripts/onedrive-setup.sh:17 | |
| MEDIUM | Folder name directly inserted into JSON payload without escaping In the `mkdir` command, the `$LEAF` variable, representing the new folder's name, is directly embedded into a JSON string for the `curl -d` payload. If `$LEAF` contains characters that are significant in JSON (e.g., double quotes `"` or backslashes `\`), it could lead to malformed JSON, potentially causing API errors or, in a worst-case scenario, allowing for JSON injection if the API parser is overly permissive. Ensure that `$LEAF` is properly JSON-escaped before being inserted into the payload. This can be done using `jq -n --arg name "$LEAF" '{"name": $name, "folder": {}, "@microsoft.graph.conflictBehavior": "rename"}'` to construct the JSON payload safely. | LLM | scripts/onedrive-cli.sh:80 |
Scan History
Embed Code
[](https://skillshield.io/report/13618d5e53606c11)
Powered by SkillShield