Trust Assessment
perry-coding-agents received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Remote Command Injection via unescaped user input in SSH commands, Credential Harvesting via curl command injection and token placeholder.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote Command Injection via unescaped user input in SSH commands The skill constructs SSH commands where a user-provided 'task' string is directly embedded into the remote command executed on the workspace. If the 'task' string is not properly escaped or sanitized, an attacker can inject shell metacharacters (e.g., `'; rm -rf /;'`) to execute arbitrary commands on the remote workspace. This vulnerability affects all SSH commands that embed the 'task' string, including those for 'opencode run' and 'claude'. The 'task' string must be properly escaped for shell execution before being embedded into the SSH command. This typically involves using a function that escapes single quotes and other shell metacharacters, or passing the 'task' as an argument to a script that handles it safely, rather than directly embedding it in the shell string. For example, using `printf %q` in bash or a similar mechanism. | LLM | SKILL.md:20 | |
| HIGH | Credential Harvesting via curl command injection and token placeholder The 'curl' command used for wake-up calls includes an 'Authorization: Bearer <hooks-token>' or 'Authorization: Bearer <token>' header. If the LLM replaces '<token>' with a sensitive credential, and the user-provided 'task' string is vulnerable to command injection (as identified in SS-LLM-001), an attacker could manipulate the 'curl' command to exfiltrate this token to an arbitrary external server. This is a direct consequence of the command injection vulnerability combined with the presence of a sensitive placeholder. Ensure the 'task' string is thoroughly escaped to prevent command injection. Additionally, consider if the sensitive token should be passed directly within the 'task' string. If the token is highly sensitive, it might be better managed by the host environment or passed via a more secure mechanism that doesn't expose it to potential manipulation by the remote command string. | LLM | SKILL.md:33 |
Scan History
Embed Code
[](https://skillshield.io/report/863083774dc863bc)
Powered by SkillShield