Trust Assessment
portainer received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 6 critical, 6 high, 2 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: AI agent config, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/asteinberger/portainer/SKILL.md:51 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/asteinberger/portainer/SKILL.md:249 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/asteinberger/portainer/SKILL.md:250 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/asteinberger/portainer/SKILL.md:251 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/asteinberger/portainer/portainer.sh:21 | |
| CRITICAL | Shell Command Injection via URL Path Parameter The script constructs `curl` URLs by directly interpolating user-supplied input for the `ENDPOINT` variable (derived from command-line arguments $2 or $3). Since `$ENDPOINT` is placed within a double-quoted string that forms part of the `curl` command's URL argument, any shell metacharacters (e.g., command substitution like `$(evil_command)` or backticks) present in `$ENDPOINT` will be executed by the shell before the `curl` command is invoked. This allows an attacker to execute arbitrary shell commands. Sanitize or strictly validate the `ENDPOINT` variable to ensure it contains only expected characters (e.g., digits if it's an ID). For numeric IDs, use a regex check like `[[ "$ENDPOINT" =~ ^[0-9]+$ ]]`. If `ENDPOINT` can be a string, it must be properly URL-encoded and shell-escaped before being used in the `curl` command, or passed as a separate argument to `curl` if possible. | LLM | portainer.sh:55 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/asteinberger/portainer/SKILL.md:51 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/asteinberger/portainer/SKILL.md:249 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/asteinberger/portainer/SKILL.md:250 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/asteinberger/portainer/SKILL.md:251 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/asteinberger/portainer/portainer.sh:21 | |
| HIGH | Credential Harvesting via Unvalidated API URL The script loads `PORTAINER_API_KEY` and `PORTAINER_URL` from environment variables or `~/.clawdbot/.env`. The `PORTAINER_API_KEY` is then used in the `X-API-Key` header for all `curl` requests to the `PORTAINER_URL`. There is no validation of the `PORTAINER_URL`. An attacker who can manipulate the `PORTAINER_URL` (e.g., via prompt injection to the LLM that sets environment variables or modifies the `.env` file) could redirect all API calls, including the `PORTAINER_API_KEY`, to an arbitrary malicious server, leading to credential harvesting. Implement strict validation for `PORTAINER_URL` to ensure it points to a trusted Portainer instance. This could involve checking against a whitelist of allowed URLs, performing DNS lookups and IP validation, or at minimum, ensuring it adheres to a strict URL format and does not contain unexpected characters or protocols. | LLM | portainer.sh:26 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/asteinberger/portainer/portainer.sh:13 | |
| MEDIUM | jq Filter Injection via Container Name The script uses user-supplied container names (`$CONTAINER`) directly within a `jq` filter string: `select(.Names[0] == "/$CONTAINER")`. If `$CONTAINER` contains `"` or other `jq` syntax characters, it can break out of the string literal within the `jq` filter. This could allow an attacker to manipulate the `jq` query, leading to unexpected data processing, information disclosure, or denial of service through malformed queries. Properly escape the `$CONTAINER` variable for `jq` string literals. The recommended approach is to pass the container name as a `jq` variable using the `--arg` option, which handles escaping automatically. For example: `jq -r --arg container_name "$CONTAINER" '.[] | select(.Names[0] == ("/" + $container_name)) | .Id'`. | LLM | portainer.sh:103 |
Scan History
Embed Code
[](https://skillshield.io/report/2e677f1ebd189d3c)
Powered by SkillShield