Trust Assessment
openpet received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include User-controlled pet name used in LLM-generated alerts without sanitization, User-controlled identifiers used in file paths without explicit sanitization, Skill requires ability to schedule persistent cron jobs.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | User-controlled pet name used in LLM-generated alerts without sanitization The skill allows users to set their pet's name via the `name pet [name]` command. This pet name is subsequently incorporated into various alert messages (e.g., "🍖 {name} is starving!", "😢 {name} misses you!", "💀 {name} has passed away...", "✨ {name} evolved into a {species}!"). If these alert messages are passed to the host LLM for natural language generation or delivery, an attacker could inject malicious instructions into the pet's name. This could manipulate the LLM's behavior, leading to unintended actions, information disclosure, or further prompt injection attacks. Implement strict sanitization and validation for user-provided pet names, removing any characters or patterns that could be interpreted as LLM instructions or markdown formatting. When using the pet's name in prompts for the host LLM, ensure it is properly escaped or enclosed in a way that prevents it from being interpreted as instructions (e.g., using XML tags or JSON structures for data passing). | LLM | SKILL.md:39 | |
| MEDIUM | User-controlled identifiers used in file paths without explicit sanitization The skill stores pet data in files named `tamagotchi/pets/{platform}_{userId}.json`. The `{platform}` and `{userId}` components are derived from the user's message context. While common platform IDs (Discord userId, WhatsApp phoneNumber, Telegram chatId, Signal uuid) are typically numeric or alphanumeric and less prone to path traversal, the skill description does not explicitly mention sanitization or validation of these identifiers before they are used to construct file paths. If an attacker could manipulate these identifiers to include path traversal sequences (e.g., `../`, `/`), they might be able to read, write, or overwrite arbitrary files outside the intended `tamagotchi/pets/` directory. Ensure that all user-derived components used in file paths (`userId`, `phoneNumber`, `chatId`, `uuid`) are strictly validated and sanitized to contain only allowed characters (e.g., alphanumeric, hyphens) and to explicitly disallow any path traversal sequences (`..`, `/`, `\`). Consider using a robust file system abstraction layer that automatically handles path sanitization. | LLM | SKILL.md:13 | |
| INFO | Skill requires ability to schedule persistent cron jobs The skill description indicates the need to "Set up cron job `openpet-tick` every 2 hours" for decay mechanics. This implies the skill has the capability to schedule and manage persistent background tasks or cron jobs on the host system. While necessary for the skill's functionality, this is a powerful permission that, if misused or exploited (e.g., via command injection in the cron job definition itself, though not evident here), could lead to system compromise or resource exhaustion. This finding is informational to highlight a significant capability. Ensure that the environment running the skill enforces strict sandboxing and least privilege principles. If the cron job definition itself is constructed with any user input, ensure rigorous sanitization to prevent command injection. Monitor the execution of scheduled tasks for anomalous behavior. | LLM | SKILL.md:70 |
Scan History
Embed Code
[](https://skillshield.io/report/d81ca68291383216)
Powered by SkillShield