Trust Assessment
proton-bridge-email received a trust score of 13/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.check_output(), Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/boilerrat/protom-bridge-email/scripts/send_email.py:30 | |
| CRITICAL | Arbitrary file read and exfiltration via email The `send_email.py` script allows users to specify an arbitrary file path via the `--body-file` argument. The content of this file is then read and sent as the email body to a user-specified recipient (`--to`). This enables an attacker to read any file accessible to the agent and exfiltrate its contents by sending it to an attacker-controlled email address. This is a direct data exfiltration vector. Restrict the `--body-file` argument to a predefined, safe directory or disallow reading arbitrary files. If file content is needed, implement strict validation and sandboxing, or use a dedicated tool for file access with proper permissions. For an email sending skill, it is generally safer to only accept string input for the body or restrict file paths to temporary, user-uploaded content. | LLM | scripts/send_email.py:77 | |
| HIGH | Dangerous call: subprocess.check_output() Call to 'subprocess.check_output()' detected in function 'decrypt_age'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/boilerrat/protom-bridge-email/scripts/send_email.py:30 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/boilerrat/protom-bridge-email/scripts/encrypt_env.sh:16 | |
| MEDIUM | Disabling SSL certificate verification for SMTP connections The script uses `ssl._create_unverified_context()` to disable SSL certificate verification for SMTP connections. While this is noted as being for 'localhost automation' with Proton Bridge's self-signed certificates, the `SMTP_HOST` is configurable from the decrypted `proton.env.age` file. If `SMTP_HOST` is configured to a remote server, this setting makes the connection vulnerable to Man-in-the-Middle (MITM) attacks, potentially allowing an attacker to intercept or alter email content and credentials. Only disable certificate verification when strictly necessary and for known, trusted endpoints (e.g., `127.0.0.1`). For remote SMTP servers, always use proper certificate validation. Consider adding a check to ensure `SMTP_HOST` is `localhost` or `127.0.0.1` if `_create_unverified_context()` is used, or provide an option to enable/disable verification based on the target host. | LLM | scripts/send_email.py:86 |
Scan History
Embed Code
[](https://skillshield.io/report/84fb6a0c87909059)
Powered by SkillShield