Trust Assessment
pancake-skills received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Sensitive environment variable access: $USER, Shell Command Injection via Unsanitized Arguments and URL Construction, API Tokens Exposed in URL Query Parameters.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Shell Command Injection via Unsanitized Arguments and URL Construction The `pancake.sh` script is highly vulnerable to shell command injection. User-provided command-line arguments (e.g., `PAGE_ID`, `CONVERSATION_ID`, `FILE_PATH`, `QUERY_STRING`) are directly interpolated into shell commands or used to construct URLs without proper sanitization. This allows an attacker to inject shell metacharacters (e.g., `;`, `|`, `&`, `$()`, `` ` ``), leading to arbitrary command execution on the host system.
Specific vulnerabilities include:
1. **Direct Argument Interpolation**: Arguments like `page_id` and `qs` are directly embedded into the `path` variable, which forms part of the `curl` command's URL. For example, `bash scripts/pancake.sh conversations-list "12345; rm -rf /"` would execute `rm -rf /`.
2. **File Path in `curl -F`**: The `upload` command uses `curl -F "file=@${file_path}"`. If `file_path` contains command substitution (e.g., `$(evil_command)`), the shell will execute `evil_command` before `curl` is invoked.
3. **`url_encode` function**: The `url_encode` function in `common.sh` directly interpolates its input (`$1`) into a `python3 -c` command. If `$1` contains command substitution, it will be executed by the shell. While currently used for environment variables (tokens), this function itself is a critical vulnerability that could be exploited if untrusted input were passed to it. All user-supplied arguments must be rigorously sanitized or properly quoted before being used in shell commands or URL construction. For shell arguments, use `printf %q` or pass them as separate array elements to `curl` (e.g., `curl_args+=("-F" "file=@$file_path")`). For URL components, use a robust URL encoding function that prevents both URL and shell injection. The `url_encode` function in `common.sh` should be fixed to pass arguments safely to Python (e.g., `python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1], safe=""))' "$1"`). | LLM | scripts/pancake.sh:241 | |
| HIGH | API Tokens Exposed in URL Query Parameters The `USER_ACCESS_TOKEN` and `PAGE_ACCESS_TOKEN` are appended directly to the URL as query parameters (`access_token` or `page_access_token`) for all API requests. This practice can lead to the exposure of these sensitive tokens in various locations, including web server access logs, proxy logs, network monitoring tools, and potentially browser history. While HTTPS encrypts the transport, the tokens remain visible in logs at the endpoint and any intermediate proxies that decrypt traffic, posing a significant data exfiltration risk. API tokens should be transmitted securely, preferably in the `Authorization` header using a `Bearer` token scheme, rather than as URL query parameters. This prevents them from being logged by default in web server access logs and reduces exposure. | LLM | scripts/common.sh:88 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/suminhthanh/pancake-skills/scripts/common.sh:82 |
Scan History
Embed Code
[](https://skillshield.io/report/90552835e18df5ea)
Powered by SkillShield