Trust Assessment
radio-copilot received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 22 findings: 9 critical, 12 high, 1 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings22
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davestarling/moltbot-satellite-copilot/scripts/orchestrator.py:68 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davestarling/moltbot-satellite-copilot/scripts/orchestrator.py:72 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:80 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:94 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:178 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:170 | |
| CRITICAL | Remote Command Injection via SSH with untrusted config The `ssh` function in `scripts/orchestrator.py` constructs an SSH command using `remote_cmd` directly from the skill's configuration (`config.json`). If an attacker can modify `config.json`, they can inject arbitrary commands to be executed on the remote SSH server specified by the `host` and `user` fields, also from the configuration. Do not pass `remote_cmd` directly as a single argument to `ssh`. Instead, if the command is fixed, pass it as a list of arguments. If the command is dynamic, ensure it is properly sanitized or executed within a constrained environment (e.g., a specific script on the remote host with limited capabilities) to prevent arbitrary command execution. | LLM | scripts/orchestrator.py:70 | |
| CRITICAL | Local Command Injection via `subprocess.run(shell=True)` with untrusted config The `radio_scheduler.py` script executes a capture command using `subprocess.run(cmd, shell=True)` where `cmd` is read directly from the `config.json` (`cap.get("command")`). This allows an attacker who can modify `config.json` to execute arbitrary shell commands on the local host system where the skill is running. Avoid `shell=True` when executing external commands with untrusted input. If shell features are strictly necessary, ensure the command is thoroughly sanitized or use a more secure method like executing a predefined script with arguments, rather than directly executing arbitrary strings from configuration. | LLM | scripts/radio_scheduler.py:177 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:170 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_whatsapp'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/davestarling/moltbot-satellite-copilot/scripts/orchestrator.py:68 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/davestarling/moltbot-satellite-copilot/scripts/orchestrator.py:72 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_pass_predictor'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:80 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_notify'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:94 | |
| HIGH | Dangerous call: subprocess.check_output() Call to 'subprocess.check_output()' detected in function 'run_pass_predictor'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:62 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/davestarling/moltbot-satellite-copilot/scripts/radio_scheduler.py:178 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/davestarling/moltbot-satellite-copilot/SKILL.md:11 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/davestarling/moltbot-satellite-copilot/SKILL.md:12 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/davestarling/moltbot-satellite-copilot/SKILL.md:13 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/davestarling/moltbot-satellite-copilot/SKILL.md:25 | |
| HIGH | Unpinned Node.js dependencies The `scripts/pass_predictor.mjs` file imports `node-fetch` and `satellite.js` without specifying exact versions. This makes the skill vulnerable to supply chain attacks if a malicious update is pushed to these packages or if a breaking change is introduced in a new version, potentially leading to unexpected behavior or security vulnerabilities. Pin the versions of `node-fetch` and `satellite.js` in a `package.json` file and use a package manager (like `npm` or `yarn`) to install them, ensuring reproducible and secure dependency management. | LLM | scripts/pass_predictor.mjs:7 | |
| MEDIUM | Configurable WhatsApp target allows data exfiltration The `send_whatsapp` (in `orchestrator.py`) and `send_notify` (in `radio_scheduler.py`) functions send satellite pass information to a `target` specified in the `config.json`. While the information itself (pass times, azimuth, elevation) is not highly sensitive, an attacker who gains control of the `config.json` could redirect these alerts to an arbitrary phone number, potentially exfiltrating operational data or using the skill as an unauthorized messaging relay. Implement stricter validation or whitelisting for the `target` field in the configuration. Consider encrypting sensitive configuration values or requiring explicit user confirmation for changes to critical settings like alert recipients. | LLM | scripts/orchestrator.py:65 |
Scan History
Embed Code
[](https://skillshield.io/report/1d55f3097db89ab0)
Powered by SkillShield