Trust Assessment
nest-devices received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 7 critical, 6 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/amogower/nest-devices/SKILL.md:251 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/amogower/nest-devices/scripts/nest.py:83 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/amogower/nest-devices/scripts/nest-webhook.py:61 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/amogower/nest-devices/scripts/nest-webhook.py:184 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/amogower/nest-devices/scripts/nest.py:45 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/amogower/nest-devices/scripts/nest.py:53 | |
| CRITICAL | Command Injection via ffmpeg with untrusted RTSP URL The `capture_rtsp_frame` function in `scripts/nest-webhook.py` constructs an `ffmpeg` command using an `rtsp_url` obtained from the Nest API. If a malicious actor can compromise the Nest API response (e.g., by compromising the Nest device or Google account), they could inject arbitrary shell commands into the `rtsp_url`. The `subprocess.run` call directly inserts the `rtsp_url` into the command list without proper sanitization or escaping, making it vulnerable to command injection. Implement strict validation and sanitization of the `rtsp_url` to ensure it only contains a valid URL format and no shell metacharacters. A more robust solution would be to use a dedicated Python library for RTSP stream processing that does not rely on shelling out to `ffmpeg` with untrusted input, or to pass the URL via stdin if `ffmpeg` supports it, or to use `shlex.quote` if `shell=True` were used (though `shell=False` is preferred). The safest approach is to avoid passing untrusted strings directly as arguments to external commands. | LLM | scripts/nest-webhook.py:205 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'capture_rtsp_frame'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/amogower/nest-devices/scripts/nest-webhook.py:184 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_nest_creds'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/amogower/nest-devices/scripts/nest-webhook.py:61 | |
| HIGH | Potential data exfiltration: file read + network send Function 'capture_rtsp_frame' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/amogower/nest-devices/scripts/nest-webhook.py:191 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_credentials'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/amogower/nest-devices/scripts/nest.py:45 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_credentials'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/amogower/nest-devices/scripts/nest.py:53 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/amogower/nest-devices/SKILL.md:251 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/amogower/nest-devices/scripts/nest-webhook.py:17 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/amogower/nest-devices/scripts/nest.py:13 | |
| MEDIUM | Supply Chain Risk: Unpinned External Binaries (op, ffmpeg) The skill relies on external binaries `op` (1Password CLI) and `ffmpeg` for core functionality. The `SKILL.md` and Python scripts do not specify required versions for these tools, nor do they include mechanisms to verify their integrity or ensure they are installed from trusted sources. This introduces a supply chain risk, as a compromised or malicious version of `op` or `ffmpeg` installed on the user's system could lead to credential compromise or arbitrary code execution. Specify minimum required versions for `op` and `ffmpeg`. Provide instructions for secure installation and verification (e.g., checksums, official sources). Consider using containerized environments or virtual environments where dependencies can be more tightly controlled. For `op`, ensure the `OP_SERVICE_ACCOUNT_TOKEN` is managed securely and has least privilege. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/ec0a04e6dd4af05c)
Powered by SkillShield