Trust Assessment
pocket-transcripts received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 3 critical, 4 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tmustier/heypocket-reader/scripts/reader.py:301 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/tmustier/heypocket-reader/SKILL.md:23 | |
| CRITICAL | Credential Harvesting and Storage The skill is explicitly designed to extract a user's Firebase Bearer token (and potentially a refresh token) from their browser's IndexedDB and store it locally in `~/.pocket_token.json`. This involves handling highly sensitive authentication credentials, which, if compromised, could grant unauthorized access to the user's Pocket AI account. The `save_token` function writes these credentials to disk. Re-evaluate the necessity of storing raw access/refresh tokens. If storage is unavoidable, ensure robust encryption at rest and strict access controls for the token file. Consider using an OAuth flow that provides short-lived tokens and handles refresh securely without exposing the refresh token directly to the skill's local storage. Implement secure credential management best practices. | LLM | scripts/reader.py:20 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'extract_token_from_browser'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/tmustier/heypocket-reader/scripts/reader.py:301 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/tmustier/heypocket-reader/SKILL.md:23 | |
| HIGH | Excessive Browser Permissions for Token Extraction The skill's token extraction method requires launching a web browser with the user's full profile (`--profile`) and then programmatically navigating to `app.heypocket.com` to extract credentials from IndexedDB. This grants the skill broad and excessive access to the user's entire browser profile, including cookies, history, saved passwords, and other sensitive data, far beyond what is necessary to obtain a single token. This significantly increases the attack surface. Explore alternative, more granular authentication methods that do not require full browser profile access. If browser automation is essential, use a dedicated, isolated browser profile for the skill to minimize exposure of the user's primary browsing data. Implement strict sandboxing for browser interactions. | LLM | SKILL.md:25 | |
| HIGH | Potential Command Injection via Subprocess Calls The `scripts/reader.py` file imports the `subprocess` module, and the skill's setup instructions explicitly direct the user to run `python3 scripts/reader.py extract`. This 'extract' functionality, which is not fully shown but implied by the context, must use `subprocess` to interact with external browser automation scripts (`start.js`, `nav.js`). If the arguments passed to these subprocess calls are constructed using unsanitized user input, or if the external scripts themselves are vulnerable, it could lead to arbitrary command execution on the host system. Thoroughly review the `extract_token` function (or equivalent) for any `subprocess` calls. Ensure all arguments passed to `subprocess` functions are hardcoded or strictly validated and sanitized, especially if they originate from user input or external sources. Prefer `subprocess.run` with `shell=False` and explicit argument lists. If external scripts are executed, ensure their integrity and security. | LLM | scripts/reader.py:14 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/tmustier/heypocket-reader/scripts/reader.py:130 | |
| MEDIUM | Supply Chain Risk from External Browser Automation Scripts The skill relies on external JavaScript files (`~/.factory/skills/browser/start.js` and `~/.claude/skills/browser/nav.js`) for critical browser automation tasks, including launching the browser and navigating to the Pocket AI login page. These scripts are not part of the skill package, and their source, integrity, and security are not managed or guaranteed by the skill itself. A compromise or malicious modification of these external scripts could directly impact the security of this skill and the user's system. Integrate necessary browser automation logic directly into the skill's codebase or use well-maintained, auditable, and version-pinned libraries. If external scripts must be used, implement mechanisms to verify their integrity (e.g., checksums) before execution and ensure they are sourced from trusted, immutable locations. | LLM | SKILL.md:25 |
Scan History
Embed Code
[](https://skillshield.io/report/a1418d919f9fdb7b)
Powered by SkillShield