Trust Assessment
netpad received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Command Injection via Shell Variable Interpolation in API Calls, Command Injection via jq Filter String Interpolation, Data Exfiltration via Overridable Base URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Shell Variable Interpolation in API Calls The `api` function in `scripts/netpad.sh` constructs `curl` commands by directly interpolating user-controlled variables (`endpoint`, `data`) into the shell command string. This allows an attacker to inject arbitrary shell commands by providing specially crafted input containing shell metacharacters (e.g., `$(command)`, `;`, `|`, `\n`). This vulnerability affects all API calls made through this wrapper, including operations on forms and submissions. Sanitize all user-controlled input before interpolating it into shell commands. For `endpoint` and `data` arguments, ensure they are properly quoted and escaped to prevent shell expansion. Consider using a safer method for constructing API requests that doesn't rely on direct shell interpolation of untrusted input, or strictly validate and escape all inputs. | LLM | scripts/netpad.sh:26 | |
| CRITICAL | Command Injection via jq Filter String Interpolation In the `forms add-field` command within `scripts/netpad.sh`, user-controlled variables (`$path`, `$label`, `$type`, `$required`) are directly interpolated into the `jq` filter string. An attacker can inject malicious `jq` functions (e.g., `system("command")`) into these variables, leading to arbitrary command execution on the host system. Avoid direct interpolation of untrusted user input into `jq` filter strings. Instead, pass data to `jq` as raw JSON and construct the filter using `jq`'s built-in functions for safe manipulation, or strictly validate and escape all inputs to prevent injection. | LLM | scripts/netpad.sh:70 | |
| HIGH | Data Exfiltration via Overridable Base URL The `scripts/netpad.sh` script allows the `BASE_URL` for API calls to be overridden by the `NETPAD_BASE_URL` environment variable. If an attacker can control this environment variable, they can redirect all API requests, including those containing the `NETPAD_API_KEY`, to a malicious server. This enables the exfiltration of sensitive data and API keys. Restrict the ability to override the `BASE_URL` from environment variables, or implement strict validation for the `NETPAD_BASE_URL` value to ensure it points only to trusted domains. If dynamic URLs are necessary, ensure they are whitelisted or cryptographically signed. | LLM | scripts/netpad.sh:4 | |
| HIGH | Unpinned npm Dependency in Skill Installation The skill's manifest specifies the installation of `@netpad/cli` via `npm i -g @netpad/cli` without a pinned version. This means that the latest version of the package will always be installed. A malicious actor could publish a compromised version of `@netpad/cli` to the npm registry, leading to a supply chain attack where users unknowingly install and execute malicious code. Pin the version of `@netpad/cli` in the manifest (e.g., `"package": "@netpad/cli@1.2.3"`) to ensure that a specific, known-good version is always installed. Regularly review and update pinned versions to incorporate security patches. | LLM | SKILL.md | |
| MEDIUM | Unpinned Package Installation via netpad CLI The `SKILL.md` documentation includes an example command `netpad install @netpad/helpdesk-app`. Similar to unpinned npm dependencies, installing packages without a specific version via the `netpad` CLI introduces a supply chain risk. If the `netpad` marketplace allows unversioned installs, a malicious update to `@netpad/helpdesk-app` could compromise the system. Advise users to install specific versions of packages (e.g., `netpad install @netpad/helpdesk-app@1.0.0`) or implement mechanisms within the `netpad` CLI to verify package integrity and prevent installation of untrusted or unversioned packages. | LLM | SKILL.md:305 |
Scan History
Embed Code
[](https://skillshield.io/report/8825ad0a9e0f0074)
Powered by SkillShield