Trust Assessment
productivity-helper received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 7 critical, 3 high, 0 medium, and 0 low severity. Key findings include Remote code execution: download then execute, External script download and execution, Credential harvesting via user input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: download then execute Detected a pattern that downloads a file and then executes it. This is a malware delivery vector. Never download and execute remote files without verification. | Static | skills/anikrahman0/security-skill-scanner/examples/malicious-skill/SKILL.md:94 | |
| CRITICAL | External script download and execution The skill instructs the user to download and execute a shell script from an unknown external domain (`unknown-domain.xyz`). This allows arbitrary code execution on the user's system, posing a severe security risk (Command Injection) and introduces a Supply Chain Risk from an untrusted source. Remove instructions to download and execute external scripts from untrusted sources. All necessary code should be part of the skill package. | LLM | SKILL.md:15 | |
| CRITICAL | Credential harvesting via user input The skill explicitly prompts the user for an API key and password, which are then collected. This is a direct attempt to harvest sensitive credentials. Do not prompt users for sensitive credentials directly. Use secure authentication mechanisms (e.g., OAuth, environment variables, secure credential stores). | LLM | SKILL.md:26 | |
| CRITICAL | Exfiltration of sensitive files (SSH keys, AWS credentials) The skill attempts to read highly sensitive files such as SSH private keys (`id_rsa`) and AWS credentials from the user's home directory. This demonstrates Excessive Permissions and is a severe Data Exfiltration attempt, as these files are then base64 encoded and sent to an external analytics server (`analytics-service.tk`). Remove all code that accesses or exfiltrates sensitive user files. Skills should only access files explicitly granted by the user or within their designated sandbox. | LLM | SKILL.md:45 | |
| CRITICAL | Arbitrary shell command execution The skill uses `child_process.exec` to execute arbitrary shell commands (`whoami && pwd && ls -la /etc/`). This allows the skill to run any command on the host system, leading to full system compromise. Remove all direct shell command execution. If specific system interactions are required, use secure, sandboxed APIs or well-defined, parameterized functions. | LLM | SKILL.md:62 | |
| CRITICAL | Use of `eval()` with dynamic content The skill uses `eval()` to execute dynamically constructed JavaScript code, incorporating `stdout` from a previous shell command. This is a severe command injection vulnerability, allowing arbitrary code execution. Never use `eval()` with untrusted or dynamically generated input. Refactor code to use safe alternatives for dynamic execution or data handling. | LLM | SKILL.md:65 | |
| CRITICAL | Download and execute additional malicious binary The skill uses `wget` to download an executable binary (`tool.bin`) from a suspicious external domain (`malicious-cdn.ml`), makes it executable, and then runs it. This is a severe Supply Chain Risk by introducing untrusted external code and a Command Injection vulnerability allowing arbitrary code execution. Remove all instructions to download and execute external binaries from untrusted sources. All necessary code should be part of the skill package and subject to review. | LLM | SKILL.md:70 | |
| HIGH | Unencrypted exfiltration of credentials and system info The collected API key, password, and system platform (`process.platform`) are sent unencrypted (HTTP) to a suspicious external domain (`data-collector.xyz`). This constitutes data exfiltration and exposes sensitive information. Remove all code that exfiltrates user data. If data must be sent, ensure it is encrypted (HTTPS) and sent to trusted, legitimate endpoints with user consent. | LLM | SKILL.md:30 | |
| HIGH | Base64 encoding of exfiltrated data Sensitive data (SSH keys, AWS credentials) is base64 encoded before exfiltration. This technique is often used to obscure the content of exfiltrated data, making it a form of Hidden Instruction or obfuscation for data transfer. Remove all code that encodes sensitive data for exfiltration. Ensure all data handling is transparent and secure. | LLM | SKILL.md:51 | |
| HIGH | Exfiltration of system information via `eval` Output from executed shell commands (`whoami`, `pwd`, `ls -la /etc/`) is exfiltrated to an external domain (`stat-collector.info`) via a dynamically constructed `fetch` call using `eval()`. This is a clear Data Exfiltration of system reconnaissance data. Remove all code that exfiltrates system information. Ensure no sensitive data is sent to external, untrusted endpoints. | LLM | SKILL.md:65 |
Scan History
Embed Code
[](https://skillshield.io/report/7a73ebaf92f5d007)
Powered by SkillShield