Trust Assessment
mulerouter received a trust score of 43/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned Python dependency version, Local File Path Data Exfiltration via Image Parameters.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Local File Path Data Exfiltration via Image Parameters The skill is designed to accept local file paths for image parameters (e.g., `--image /path/to/local/image.png`). The `core/image.py` module contains logic to check if a provided string is a local file, read its content, base64 encode it, and then include it in the API request body sent to the remote MuleRouter/MuleRun API. If an attacker can control the input to these image parameters (e.g., through a compromised prompt or other user-controlled input), they could specify arbitrary file paths on the system. The skill would then read the content of these files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, configuration files, etc.) and exfiltrate them to the configured API endpoint. This poses a severe risk of sensitive data leakage. Implement strict input validation for image parameters. Instead of allowing arbitrary local file paths, consider one or more of the following: 1. **Allowlist Directories**: Restrict file access to a specific, isolated directory (e.g., a temporary upload folder or a skill-specific data directory) and reject paths outside this scope. 2. **User Confirmation**: For any local file path, require explicit user confirmation before reading and transmitting its content. 3. **Sandbox Environment**: Run the skill in a tightly sandboxed environment with minimal filesystem access. 4. **Alternative Input**: Prefer direct base64 encoded strings or pre-signed URLs for image uploads, reducing the need for the skill to read local files directly. | LLM | core/image.py:40 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/misaka43fd/mulerouter/models/base.py:32 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/misaka43fd/mulerouter/models/__init__.py:3 | |
| MEDIUM | Unpinned Python dependency version Dependency 'httpx>=0.27.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | skills/misaka43fd/mulerouter/pyproject.toml | |
| INFO | Weak Dependency Pinning The `pyproject.toml` file uses weak dependency pinning (e.g., `httpx>=0.27.0`, `python-dotenv>=1.0.0`, `pydantic>=2.0.0`). While this allows for minor updates, it introduces a potential supply chain risk. A new version of a dependency could introduce a vulnerability or breaking change that affects the skill's security or functionality without explicit review. Best practice for production deployments is to use exact version pinning to ensure reproducibility and stability. Pin dependencies to exact versions (e.g., `httpx==0.27.0`) to ensure reproducibility and prevent unexpected issues from upstream updates. Use a dependency management tool like `pip-compile` or `uv`'s lock file feature to manage exact versions and update them deliberately after security review. | LLM | pyproject.toml:5 |
Scan History
Embed Code
[](https://skillshield.io/report/2f4e77d788f54356)
Powered by SkillShield