Trust Assessment
points-recharge received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via `curl` command in QR code handling, Potential Command Injection via `base64 -d` command in QR code handling, Excessive Permissions: Arbitrary file opening via `open` command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via `curl` command in QR code handling The skill explicitly instructs the LLM to execute a `curl` command to download a QR code image. The `{qrcode_url}` variable is interpolated directly into the shell command. If `qrcode_url` can be influenced by untrusted input (e.g., from a malicious tool response or user input), an attacker could inject arbitrary shell commands by crafting a malicious URL that includes shell metacharacters (e.g., `;`, `|`, `&`, `$()`). This allows for arbitrary code execution on the host system. Avoid direct shell command execution with interpolated variables. If URL fetching is necessary, use a secure execution environment that strictly sanitizes or whitelists inputs, or use a dedicated tool/API that handles URL fetching and file saving securely without exposing shell access. Consider using a sandboxed environment or a dedicated image download function provided by the agent platform that does not involve direct shell command construction. | LLM | SKILL.md:73 | |
| CRITICAL | Potential Command Injection via `base64 -d` command in QR code handling The skill explicitly instructs the LLM to execute an `echo` command piped to `base64 -d` to decode a base64 string into a file. The `{base64_string}` variable is interpolated directly into the `echo` command. If `base64_string` can be influenced by untrusted input, an attacker could inject arbitrary shell commands by crafting a malicious base64 string that, when decoded or even before decoding, contains shell metacharacters or command substitutions (e.g., `$(command)`). This allows for arbitrary code execution on the host system. Avoid direct shell command execution with interpolated variables. If base64 decoding is necessary, use a dedicated, secure library function or API provided by the agent platform that handles decoding without exposing shell access. Ensure the source of `base64_string` is trusted and validated, and that the decoding process is sandboxed. | LLM | SKILL.md:78 | |
| HIGH | Excessive Permissions: Arbitrary file opening via `open` command The skill instructs the LLM to use the `open` command to display the downloaded or decoded QR code image (`payment_qrcode.png`). While the filename is fixed, the `open` command itself, if executed in an unrestricted environment, represents an overly broad permission. If a prior command injection (e.g., through `curl` or `echo`) were successful, an attacker could potentially create or modify other files, which the `open` command might then be instructed to open, leading to unintended application launches or exposure of sensitive data. Relying on a general `open` command for displaying an image grants broader capabilities than strictly necessary for the skill's function. Use a dedicated, sandboxed image display function or API provided by the agent platform that only allows displaying specific, validated image files, rather than a general `open` command. This limits the scope of what the agent can do with file system interactions and prevents potential abuse. | LLM | SKILL.md:73 |
Scan History
Embed Code
[](https://skillshield.io/report/59afaaffa7695e82)
Powered by SkillShield