Trust Assessment
pocket-casts received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 3 critical, 8 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/manuelhettich/pocket-casts-yt/SKILL.md:28 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:28 | |
| CRITICAL | Command Injection via unsanitized VIDEO_URL The `VIDEO_URL` argument, which is user-controlled, is directly interpolated into `uvx yt-dlp` commands without proper shell escaping. A malicious user could inject shell metacharacters (e.g., `$(evil_command)`, `;`, `&&`) into the `VIDEO_URL` to execute arbitrary commands on the host system. Always quote or properly escape user-provided input when passing it to shell commands. For `bash`, `printf %q` can be used, or consider using a language like Python with `subprocess.run(..., shell=False)` to execute external commands safely. Example: `uvx yt-dlp "${YTDLP_ARGS[@]}" --print "%"(title)s|||%"(id)s" "$(printf %q "$VIDEO_URL")"`. | LLM | scripts/upload.sh:46 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:36 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:37 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:44 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:49 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:61 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:64 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:77 | |
| HIGH | Supply Chain Risk - Unpinned yt-dlp dependency The script uses `uvx yt-dlp` to execute the `yt-dlp` tool. `uvx` will fetch the latest available version of `yt-dlp` if not specified. This introduces a supply chain risk as a malicious update to the `yt-dlp` package (e.g., through compromise of the official repository or typosquatting) could be automatically downloaded and executed, leading to arbitrary code execution. Pin the `yt-dlp` dependency to a specific version (e.g., `uvx yt-dlp==2023.11.16`) to ensure deterministic and secure execution. Regularly review and update the pinned version. | LLM | scripts/upload.sh:46 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/manuelhettich/pocket-casts-yt/SKILL.md:30 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/manuelhettich/pocket-casts-yt/scripts/upload.sh:5 | |
| MEDIUM | Potential Path Traversal or Command Injection via OUTPUT_FILE The `OUTPUT_FILE` variable is constructed using `VIDEO_ID` which is extracted from `yt-dlp`'s output. While `yt-dlp` typically sanitizes IDs, if a malicious `VIDEO_ID` (e.g., containing `../` for path traversal or shell metacharacters) were to be returned, it could lead to files being written outside the intended temporary directory or command injection when `OUTPUT_FILE` is used in `stat` or `rm`. Although `yt-dlp`'s `-o` argument is generally robust, relying on external tool's sanitization for shell arguments is less secure than explicit quoting. Ensure `VIDEO_ID` is strictly validated or sanitized to prevent path traversal characters or shell metacharacters. When using `OUTPUT_FILE` in commands like `stat` or `rm`, always quote the variable (e.g., `stat -c%s "$OUTPUT_FILE"`). A more robust approach would be to generate a unique, random filename within the temp directory, rather than relying on `VIDEO_ID`. | LLM | scripts/upload.sh:58 | |
| LOW | Imperfect JSON sanitization for UPLOAD_TITLE The script attempts to sanitize `FINAL_TITLE` using `sed` to escape double quotes and single quotes before embedding it into a JSON payload for a `curl` request. However, `sed`-based JSON escaping is prone to errors and may not handle all edge cases (e.g., backslashes, newlines, control characters) correctly. A specially crafted `CUSTOM_TITLE` or `VIDEO_TITLE` could potentially break the JSON structure, leading to malformed requests or, in a worst-case scenario, JSON injection that alters the request's intent or exfiltrates data if the API endpoint were vulnerable to such manipulation. Use a dedicated JSON parsing and serialization library or tool (e.g., `jq -R -s .` or a Python script) to safely construct JSON payloads, rather than manual string manipulation with `sed`. | LLM | scripts/upload.sh:80 |
Scan History
Embed Code
[](https://skillshield.io/report/58a13afc49e974ef)
Powered by SkillShield