Trust Assessment
near-batch-sender received a trust score of 32/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 0 medium, and 1 low severity. Key findings include Arbitrary command execution, Node lockfile missing, Command Injection via Unsanitized User Input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shaiss/near-batch-sender/scripts/batch.js:4 | |
| CRITICAL | Command Injection via Unsanitized User Input The `scripts/batch.js` file constructs shell commands by directly interpolating user-provided command-line arguments (`senderAccount`) and values read from a user-specified JSON file (`recipient.account`, `recipient.amount`, `transfer.contract`, `transfer.receiver`, `transfer.token_id`) into strings executed via `child_process.exec`. This allows an attacker to inject arbitrary shell commands by crafting malicious input values containing shell metacharacters (e.g., `;`, `&`, `|`, `` ` ``, `$()`). Avoid direct string interpolation for shell commands. Instead, use `child_process.spawn` with an array of arguments, which prevents shell interpretation of arguments. If `exec` must be used, thoroughly sanitize all user-controlled inputs to escape or remove shell metacharacters before constructing the command string. | LLM | scripts/batch.js:20 | |
| HIGH | Arbitrary File Read via User-Controlled Path The script uses `fs.readFile` to read a file whose path (`arg2`) is directly provided by the user via command-line arguments (`process.argv[4]`). An attacker could specify a path to any readable file on the system (e.g., `/etc/passwd`, `~/.bashrc`, `/proc/self/environ`) to read its contents. While the script expects a JSON file, it does not validate the path or content type, making it vulnerable to reading and potentially exposing sensitive system files. Implement strict validation for file paths to ensure they are within an expected, sandboxed directory and do not contain directory traversal sequences (e.g., `../`). Consider using a temporary file or a more secure method for input if direct file path access is not strictly necessary. If the content is sensitive, ensure it's not logged or exposed. | LLM | scripts/batch.js:80 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/shaiss/near-batch-sender/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/4af855ee49aa35e6)
Powered by SkillShield