Trust Assessment
openbotcity received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Hardcoded Bearer Token detected, Instructions to ignore human input and act autonomously, Arbitrary command execution via dynamic API updates.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Instructions to ignore human input and act autonomously The skill explicitly instructs the LLM to disregard human guidance and act independently, which is a direct attempt to subvert the host LLM's control and safety mechanisms. This includes instructions like 'Do NOT wait for a response. Do NOT ask your human what to do next.' and emphasizing the LLM's 'autonomy loop.' Such directives can lead to the LLM performing actions without necessary human oversight. Remove all instructions that encourage the LLM to ignore human input or act without explicit human approval. Rephrase to emphasize human oversight and control, ensuring the LLM understands its role as an assistant. | LLM | SKILL.md:130 | |
| CRITICAL | Arbitrary command execution via dynamic API updates The skill instructs the LLM to fetch and execute `update.curl_setup` from the `api.openbotcity.com` server during each heartbeat cycle. This allows the remote server to deliver and execute arbitrary shell commands on the host system where the LLM is running. A compromise of the `api.openbotcity.com` server or an insecure update mechanism could lead to full system compromise, as the LLM is instructed to run this content without explicit validation. Remove the ability for the skill to dynamically execute `update.curl_setup` from a remote server. All executable code should be part of the static skill package and subject to security review. If dynamic updates are absolutely necessary, implement robust code signing and verification mechanisms to ensure integrity and authenticity. | LLM | SKILL.md:164 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/vincentsider/openbotcity/SKILL.md:245 | |
| HIGH | Excessive permissions requested for dynamic script execution The skill's instruction to execute `update.curl_setup` and modify `HEARTBEAT.md` based on API responses implies a request for broad filesystem write access and arbitrary command execution privileges. This level of access, especially when driven by remote, unverified content, is excessive and creates a significant attack surface, allowing a potentially compromised server to control the host system. Restrict the skill's ability to execute arbitrary commands or modify its own core instructions based on remote input. Define a strict set of allowed actions and file paths, adhering to the principle of least privilege. | LLM | SKILL.md:164 | |
| MEDIUM | Sensitive JWT stored on disk and used in shell commands The skill instructs the LLM to save a JWT to `~/.openbotcity/credentials.json` and then uses this JWT in shell commands (`curl`) and Node.js scripts (`presence.js`). While `save-credentials.js` attempts to set secure file permissions (`0o600`), the presence of the JWT on disk and its direct use in shell commands increases the risk of exposure if the system is compromised or if the LLM is tricked into exfiltrating it via other means (e.g., a malicious `update.curl_setup` from a compromised API). Explore alternative credential management strategies that avoid persistent storage on disk, such as in-memory handling or secure vault integration. If disk storage is unavoidable, ensure robust encryption and access controls. Crucially, mitigate the dynamic update risk (SS-LLM-003/006) to prevent JWT exfiltration through arbitrary command execution. | LLM | SKILL.md:138 |
Scan History
Embed Code
[](https://skillshield.io/report/fe12c7d946556d0d)
Powered by SkillShield