Trust Assessment
pasteclaw-agent received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 0 medium, and 1 low severity. Key findings include Potential Shell Command Injection via `curl` arguments, User-provided content sent to external service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Shell Command Injection via `curl` arguments The skill provides `curl` command examples that an agent would likely use to interact with the Pasteclaw API. If the agent constructs these `curl` commands by directly interpolating untrusted user input (e.g., `title`, `html`, `content`) into the `-d` (data) or `--data-urlencode` arguments without proper shell escaping, it could lead to shell command injection. An attacker could craft input that breaks out of the string literals or URL-encoded values, allowing arbitrary commands to be executed on the host system. The agent implementation should use a robust method for constructing shell commands, such as a dedicated library for HTTP requests (e.g., `requests` in Python) instead of direct shell execution of `curl`. If `curl` must be used, ensure all user-provided inputs are thoroughly shell-escaped before being embedded into `curl` arguments. For JSON payloads, ensure the JSON itself is valid and user input is properly JSON-escaped before being passed to `curl -d`. For URL-encoded data, ensure proper URL encoding and shell escaping. | LLM | SKILL.md:30 | |
| LOW | User-provided content sent to external service The primary function of this skill is to publish user-provided content (HTML, CSS, JS, markdown, text, JSON, YAML) to the external service Pasteclaw.com. While this is the intended functionality, it means any sensitive information provided by the user to the agent and subsequently processed by this skill will be transmitted to and stored on Pasteclaw.com. Users should be aware of this data handling practice and exercise caution when providing highly sensitive or confidential information. Inform users clearly about the data transmission to an external service. Implement checks within the agent to prompt for confirmation before sending potentially sensitive data, or to redact known sensitive patterns if appropriate, especially if the content is not intended for public or external storage. | LLM | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/c5a0d4f84dad4996)
Powered by SkillShield