Trust Assessment
quickbooks received a trust score of 77/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Embedded shell script execution via 'python <<'EOF'', Direct access to os.environ for API key in examples, SQL-like query language susceptible to injection if user input is not sanitized.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Embedded shell script execution via 'python <<'EOF'' The skill documentation includes multiple examples demonstrating API usage by embedding Python scripts within 'bash' blocks using the 'python <<'EOF'' construct. This pattern instructs the LLM to execute shell commands. If an attacker can manipulate the LLM's output, they could inject arbitrary shell commands or alter the Python script to perform malicious actions on the host system where the LLM's generated code is executed. Avoid embedding direct shell execution commands in skill documentation intended for LLM consumption. Instead, provide Python-only or JavaScript-only code examples that the LLM can directly interpret and execute within a safer, sandboxed environment, or provide API specifications (e.g., OpenAPI) that the LLM can use to construct calls without generating shell scripts. If shell execution is unavoidable, ensure strict input validation and sandboxing. | LLM | SKILL.md:10 | |
| MEDIUM | Direct access to os.environ for API key in examples The skill's code examples explicitly show how to retrieve the 'MATON_API_KEY' directly from 'os.environ'. While this is required for the skill's operation, providing these direct access patterns in untrusted content increases the risk that a malicious prompt could manipulate the LLM to exfiltrate this sensitive environment variable or others accessible to the execution environment. If possible, abstract environment variable access behind a secure function or tool call that does not expose the raw 'os.environ' object to the LLM. If direct access is necessary, emphasize the importance of sandboxing the execution environment and strictly validating LLM-generated code before execution. | LLM | SKILL.md:13 | |
| MEDIUM | SQL-like query language susceptible to injection if user input is not sanitized The skill exposes a SQL-like query language for interacting with QuickBooks data. Examples demonstrate constructing queries via URL parameters (e.g., 'query=SELECT%20*%20FROM%20Customer%20WHERE%20DisplayName%20LIKE%20'John%''). If an LLM is prompted to generate these queries using unsanitized user-provided input, it could lead to SQL injection attacks against the underlying QuickBooks API, potentially allowing unauthorized data access or manipulation. Instruct the LLM to always sanitize or validate any user-provided input before incorporating it into SQL-like query strings. Provide clear guidelines or helper functions for safe query construction. The Maton gateway should also implement robust input validation and sanitization for these query parameters. | LLM | SKILL.md:169 |
Scan History
Embed Code
[](https://skillshield.io/report/05e564c1375c8c39)
Powered by SkillShield