Trust Assessment
ouyang received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 9 critical, 1 high, 3 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/ttboy/ouyang/cli/jasper-recall.js:110 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/ouyang/cli/jasper-recall.js:13 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/ouyang/src/index.js:9 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/ouyang/cli/jasper-recall.js:34 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/ouyang/cli/jasper-recall.js:52 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/ouyang/src/index.js:28 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/ouyang/src/index.js:41 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/ouyang/src/index.js:56 | |
| CRITICAL | Command Injection in src/index.js due to improper shell command construction The `recall` and `digestSessions` functions in `src/index.js` use `child_process.execSync` to execute external scripts. The command strings are constructed by concatenating script paths and arguments. For `recall`, arguments are insufficiently quoted (`args.map(a => `"${a}"`).join(' ')`), allowing command injection if a user-controlled argument contains a double quote followed by shell metacharacters (e.g., `"; evil_command #"`). For `digestSessions`, arguments are joined directly (`args.join(' ')`) without any quoting, making it highly vulnerable if a user-controlled argument (like `options.recent`) contains shell metacharacters (e.g., `1; evil_command`). This allows an attacker to execute arbitrary commands on the host system. Refactor to use `child_process.spawn` with arguments passed as an array, which prevents shell interpretation of arguments. If `execSync` must be used, ensure all user-controlled arguments are properly escaped for the shell using a robust library (e.g., `shell-quote` or `shlex`). Additionally, for `digestSessions`, validate `options.recent` is a number before passing it. | LLM | src/index.js:19 | |
| HIGH | Command Injection in digest-sessions.sh via --recent argument The `digest-sessions.sh` script is vulnerable to command injection. The value provided to the `--recent` option is used in `tail -n "$RECENT"`. If `$RECENT` contains shell metacharacters (e.g., `$(command)`), it will be executed by the shell. This vulnerability is exposed when the `digest-sessions` command is invoked, either directly or via the `cli/jasper-recall.js` or `src/index.js` wrappers. Validate the `$RECENT` variable to ensure it only contains numeric values before using it in shell commands. For example, use a regular expression to strip non-numeric characters or explicitly check if it's an integer. | LLM | scripts/digest-sessions.sh:70 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/ttboy/ouyang/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ttboy/ouyang/scripts/digest-sessions.sh:8 | |
| MEDIUM | Unpinned Python dependencies The `cli/jasper-recall.js` script installs Python dependencies (`chromadb`, `sentence-transformers`) using `pip install` without specifying exact versions. This introduces a supply chain risk, as future installations might pull in incompatible or malicious versions of these packages if they are compromised or introduce breaking changes. It also makes builds non-deterministic. Pin Python dependencies to exact versions (e.g., `chromadb==X.Y.Z sentence-transformers==A.B.C`) in a `requirements.txt` file and install from that file. Regularly audit and update these pinned versions. | LLM | cli/jasper-recall.js:68 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/ttboy/ouyang/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/203c699e8bffd306)
Powered by SkillShield