Trust Assessment
project-hiro received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 54 findings: 15 critical, 31 high, 8 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings54
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:152 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/pipin.py:102 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/pipin.py:191 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:51 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:223 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:256 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:473 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:477 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:496 | |
| CRITICAL | Dangerous call: exec() Call to 'exec()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:223 | |
| CRITICAL | Dangerous call: exec() Call to 'exec()' detected in function 'run_glyph_file'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:256 | |
| CRITICAL | Dangerous call: exec() Call to 'exec()' detected in function 'load_encoder'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:473 | |
| CRITICAL | Dangerous call: exec() Call to 'exec()' detected in function 'load_encoder'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:477 | |
| CRITICAL | Dangerous call: exec() Call to 'exec()' detected in function 'decode_and_execute'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:496 | |
| CRITICAL | Arbitrary Code Execution via `exec()` in Glyph Runner The `scripts/glyph_runner.py` explicitly uses `exec()` to run decrypted Python code entirely in memory. This allows for arbitrary code execution from potentially untrusted `.glyph` files. The skill itself warns: '⚠️ SECURITY RISK: Allows arbitrary code execution - only run trusted .glyph files!'. This is a fundamental design choice that introduces a severe command injection vulnerability if the source of `.glyph` files is not absolutely trusted, granting excessive permissions to potentially malicious code. Re-architect the skill to avoid direct `exec()` of untrusted or semi-trusted code. If code execution is necessary, implement a secure sandbox environment with strict resource and capability limitations. Validate and sanitize all input before execution. | LLM | scripts/glyph_runner.py:75 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:9 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_core.py:50 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:7 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:178 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:179 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:181 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:182 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:183 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:184 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:185 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:438 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:439 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:442 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:178 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:179 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:181 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:182 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:183 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:184 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:185 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'load_glyph_core'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:152 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_encoder'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:438 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_encoder'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:439 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'load_encoder'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/hiro_notepad.py:442 | |
| HIGH | Dangerous call: subprocess.check_call() Call to 'subprocess.check_call()' detected in function 'ensure_tqdm_installed'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/pipin.py:102 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'install_requirements'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/unaveragetech/project-hiro/scripts/pipin.py:191 | |
| HIGH | Command Injection via `subprocess` in Glyph Runner The `scripts/glyph_runner.py` uses `subprocess.run` to execute `hiro_core.py` to decode the `glyph_core.txt` file. While `hiro_core.py` is a local script, the content it processes (`glyph_core.txt`) is part of the skill package and could potentially be manipulated. This creates a command injection risk, as it executes another Python script via `subprocess`, which then feeds into the `exec()` call, forming a chain of execution for potentially untrusted code. Avoid using `subprocess` to execute internal Python scripts. Instead, import the necessary functions/classes directly and call them within the current process. This reduces the attack surface and avoids shell-related vulnerabilities. | LLM | scripts/glyph_runner.py:59 | |
| HIGH | Data Exfiltration via System Fingerprinting Both `scripts/hiro_core.py` and `scripts/hiro_notepad.py` collect sensitive system information (CPU model, total RAM, hostname, OS name) to create a 'system fingerprint'. While the skill claims this is for 'system-bound encryption' and 'not shareable', the `SKILL.md` also mentions 'Cross-system compatibility via exported system variables' and `references/system_vars.json`. This implies the fingerprint or derived key material *can* be shared or replicated, creating a risk of sensitive system data being exfiltrated or used to track the agent's environment. Re-evaluate the necessity of collecting detailed system hardware information. If a unique identifier is needed, use a less intrusive method or ensure that the collected data is strictly anonymized and never leaves the local environment. Clarify and enforce that no system fingerprint data or derived keys are ever transmitted or stored externally. | LLM | scripts/hiro_core.py:100 | |
| HIGH | Supply Chain Risk via Automated Dependency Installation and Discovery The `scripts/pipin.py` module, used by `hiro_core.py`, automatically installs dependencies from `requirements.txt`. More critically, it includes a feature to 'Scan all Python files in the project directory for third-party imports. Identifies any libraries that are imported but not listed in 'requirements.txt' and appends them.' This mechanism can be exploited by an attacker who introduces a Python file with a malicious import (e.g., a typosquatted package name). `pipin.py` would then attempt to install this potentially malicious package, leading to arbitrary code execution or system compromise. Remove the automatic 'missing library detection' and appending to `requirements.txt` functionality. Dependencies should be explicitly declared and managed. Require manual review and approval for any changes to `requirements.txt`. Avoid automatic installation of packages without user consent or strict vetting. | LLM | scripts/pipin.py:29 | |
| HIGH | Command Injection via `pip install` in `pipin.py` The `scripts/pipin.py` module uses `subprocess.check_call` to execute `pip install` commands. This is a direct command injection vulnerability if the package names or versions are derived from untrusted input. Combined with the 'missing library detection' feature, this creates a critical exploit path where an attacker could trick the system into installing and executing arbitrary packages. If package installation is absolutely necessary within a skill, ensure that all package names and versions are hardcoded or strictly validated against a whitelist. Never derive package names from untrusted input. Ideally, dependencies should be managed at the agent environment level, not within individual skills. | LLM | scripts/pipin.py:78 | |
| HIGH | Excessive Permissions and Supply Chain Risk via Addon System The `scripts/glyph_runner.py` implements an 'Addon system' where 'Addons are stored in the 'addons/' folder' and 'Addons are automatically discovered and loaded'. This creates an excessive permissions vulnerability and a supply chain risk. An attacker could place a malicious Python script in the `addons/` folder, and `glyph_runner.py` would automatically load and execute it, potentially with the same privileges as the main skill. This also acts as a hidden instruction mechanism if the addon's presence is not obvious. Remove automatic addon discovery and loading. If addons are necessary, they should be explicitly configured, signed, and loaded only after strict validation and user consent. Implement a sandboxing mechanism for addon execution to limit their capabilities. | LLM | scripts/glyph_runner.py:33 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:26 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:308 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/glyph_runner.py:388 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_core.py:220 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_core.py:1024 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/unaveragetech/project-hiro/scripts/hiro_core.py:1040 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/unaveragetech/project-hiro/SKILL.md:1 | |
| MEDIUM | Hidden Execution Mode in GUI Notepad The `SKILL.md` and `scripts/hiro_notepad.py` describe a 'hidden Hiro glyph execution mode' activated by typing 'project hiro' in the GUI. This allows for code execution through a non-obvious trigger within a seemingly innocuous application. While it's an internal feature, the 'hidden' aspect makes it a potential vector for unexpected or unauthorized actions, especially if the agent or user is unaware of its capabilities. Remove hidden functionalities that trigger code execution. All code execution paths should be transparent and require explicit user confirmation. If such a feature is desired, it should be clearly documented and accessible through standard UI elements, not hidden keywords. | LLM | SKILL.md:105 |
Scan History
Embed Code
[](https://skillshield.io/report/3ebca839ba7c87d2)
Powered by SkillShield