Trust Assessment
perry-coding-agents received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection in 'task' parameter, SSH Host Key Checking Disabled, Bearer Token Transmission in Wake-up Hook.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection in 'task' parameter The skill constructs `ssh` commands that execute `opencode run 'task'` or `claude 'task'` on a remote workspace. The `task` string is user-provided. If the `task` string is not properly sanitized or escaped before being passed to the remote shell by `opencode` or `claude`, an attacker could inject arbitrary shell commands by crafting a malicious `task` input. Ensure that the `task` parameter is properly escaped or sanitized before being passed to `opencode` or `claude` on the remote system. Ideally, use a mechanism that avoids direct shell interpretation of the `task` string, or strictly validate its content. The LLM should be instructed to escape any user-provided content for the `task` argument. | LLM | SKILL.md:16 | |
| HIGH | SSH Host Key Checking Disabled The `ssh` commands explicitly use `-o StrictHostKeyChecking=no`. This disables host key verification, making the SSH connection vulnerable to Man-in-the-Middle (MITM) attacks. An attacker could impersonate the remote workspace, intercept sensitive commands, or provide malicious responses. Remove `-o StrictHostKeyChecking=no`. Instead, ensure that the host keys for the remote workspaces are properly managed and trusted, for example, by adding them to `~/.ssh/known_hosts` or using `StrictHostKeyChecking=accept-new` for initial connections in a controlled environment. | LLM | SKILL.md:16 | |
| MEDIUM | Bearer Token Transmission in Wake-up Hook The skill demonstrates sending an `Authorization: Bearer <hooks-token>` via `curl` to a `WAKE_IP`. While `<hooks-token>` is a placeholder, the pattern requires the LLM to provide a sensitive token. If a real token is used and the `WAKE_IP` endpoint is compromised or untrusted, this token could be exfiltrated. The `WAKE_IP` is derived from `tailscale status`, which is typically an internal IP, but the security of the endpoint itself is critical. Ensure that the `WAKE_IP` endpoint is fully trusted and secured. Implement strict access controls and logging on the wake-up hook server. Instruct the LLM to use environment variables or a secure credential store for the token, rather than embedding it directly in the prompt, and to only provide it to trusted endpoints. Consider using a more secure authentication mechanism if possible. | LLM | SKILL.md:28 |
Scan History
Embed Code
[](https://skillshield.io/report/fa5085a7e6edfe17)
Powered by SkillShield