Trust Assessment
newsletter-curation received a trust score of 19/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 1 medium, and 1 low severity. Key findings include Covert behavior / concealment directives, Arbitrary command execution, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/okaris/newsletter-curation/SKILL.md:9 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/okaris/newsletter-curation/SKILL.md:9 | |
| HIGH | Potential Command and Prompt Injection via Unsanitized Input to `infsh` The skill demonstrates executing `infsh app run` commands where arguments like `query` or `text` within the `--input` JSON are expected to be dynamically filled (e.g., `[your niche]`). If these arguments are populated directly from untrusted user input without proper sanitization or escaping, an attacker could:
1. **Command Injection**: Inject shell metacharacters into the `infsh` command string, potentially leading to arbitrary command execution on the host system, leveraging the `Bash(infsh *)` permission.
2. **Prompt Injection**: Manipulate the behavior of the downstream `tavily/search-assistant`, `exa/search`, or `x/post-create` applications by injecting malicious instructions or data into their `query` or `text` parameters. This could lead to data exfiltration, unauthorized actions, or denial of service. Implement robust input validation and sanitization for any user-provided data used to construct `infsh` commands or their `--input` JSON arguments. Ensure that dynamic parts of the command and JSON values are properly quoted and escaped to prevent shell metacharacter injection. Additionally, the downstream `infsh` applications should implement their own prompt injection defenses and input sanitization. | LLM | SKILL.md:100 | |
| MEDIUM | Broad `Bash(infsh *)` permission allows execution of arbitrary `infsh` subcommands The skill declares `Bash(infsh *)` as an allowed tool. This permission grants the LLM the ability to execute any command starting with `infsh`. While the provided examples primarily use `infsh app run`, a malicious prompt could manipulate the LLM to invoke other `infsh` subcommands (e.g., `infsh login`, `infsh config`, `infsh logout`, `infsh delete`, `infsh exec`) that might have unintended side effects, expose sensitive configuration, or perform unauthorized actions beyond the skill's intended scope. Narrow the `Bash` permission to only allow specific `infsh` subcommands and arguments if possible (e.g., `Bash(infsh app run *)`). If fine-grained control is not available, implement strong guardrails within the LLM's prompt to explicitly restrict it from invoking unauthorized `infsh` commands and monitor its behavior. | LLM | SKILL.md:1 | |
| LOW | Covert behavior / concealment directives CSS-based text hiding Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/okaris/newsletter-curation/SKILL.md:18 |
Scan History
Embed Code
[](https://skillshield.io/report/45861759dade6e90)
Powered by SkillShield