Trust Assessment
places received a trust score of 24/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 0 medium, and 1 low severity. Key findings include File read + network send exfiltration, Sensitive path access: AI agent config, Command Injection Vulnerability in Shell Script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/barneyjm/places/SKILL.md:55 | |
| CRITICAL | Command Injection Vulnerability in Shell Script The `scripts/places.sh` shell script directly embeds user-controlled input (`$INPUT`) into a `curl` command's data payload (`-d "$INPUT"`). This allows an attacker to inject arbitrary shell commands by crafting malicious JSON input that breaks out of the `curl` command's arguments. For example, an input like `{"query": "Eiffel Tower"}' --data-binary @/etc/passwd; rm -rf /tmp/*; echo '` could lead to data exfiltration or arbitrary code execution on the host system. Sanitize or properly escape user input before using it in shell commands. For `curl -d`, consider using a temporary file for the payload (e.g., `echo "$INPUT" > /tmp/payload.json; curl -d @/tmp/payload.json ...`) or ensure the input is strictly valid JSON and cannot contain shell metacharacters. A more robust solution would be to rewrite the skill in a language like Python that offers safer ways to make HTTP requests and handle JSON payloads without direct shell interpolation. | LLM | scripts/places.sh:49 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/barneyjm/places/SKILL.md:55 | |
| LOW | Unpinned Dependency in Installation Instructions The installation instruction `npx clawhub@latest install places` uses the `@latest` tag for the `clawhub` package. While `clawhub` is a tool for skill installation, relying on unpinned versions can introduce supply chain risks if a malicious update to `clawhub` is published. Although this is an instruction for the user and not code executed by the skill itself, it's a best practice to recommend pinned versions for security-sensitive tools. Recommend a specific, pinned version of `clawhub` (e.g., `npx clawhub@1.2.3 install places`) to ensure deterministic and secure installations. Alternatively, provide instructions for verifying the integrity of the `clawhub` package. | LLM | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/1f18fb5b8660bb7c)
Powered by SkillShield