Trust Assessment
raglite received a trust score of 22/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned Git dependency from 'main' branch, Potential command injection via `raglite` arguments and `ripgrep` integration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/virajsanghvi1/raglite-local-rag-cache/SKILL.md:38 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/virajsanghvi1/raglite-local-rag-cache/SKILL.md:64 | |
| HIGH | Unpinned Git dependency from 'main' branch The skill installs its primary dependency `raglite` directly from the `main` branch of a GitHub repository (`git+https://github.com/VirajSanghvi1/raglite.git@main`). This means the installed code can change at any time without explicit version control, making the skill vulnerable to supply chain attacks if the upstream repository is compromised or if breaking changes are introduced. The integrity and behavior of the skill are dependent on the mutable state of an external repository's default branch. Pin the dependency to a specific commit hash, tag, or version. For example, use `git+https://github.com/VirajSanghvi1/raglite.git@v1.0.0` or `git+https://github.com/VirajSanghvi1/raglite.git@<commit_hash>` to ensure deterministic and immutable dependency installation. | LLM | scripts/install.sh:14 | |
| MEDIUM | Potential command injection via `raglite` arguments and `ripgrep` integration The `scripts/raglite.sh` script executes the `raglite` application with user-supplied arguments (`exec raglite "${args[@]}"`). The `SKILL.md` indicates that `raglite` performs 'hybrid keyword search' using the external tool `ripgrep` (`rg`). If the `raglite` application constructs shell commands for `rg` or other external tools using unsanitized user input (e.g., the query string), it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system. While the `exec` call itself correctly passes arguments as distinct tokens, the internal handling of these arguments by the `raglite` Python application is a potential vulnerability point. Review the source code of the `raglite` application, especially how it handles user-provided query strings and constructs commands for external tools like `ripgrep`. Ensure all external command executions use parameterized calls (e.g., `subprocess.run` with `shell=False` and a list of arguments) or robust input sanitization/escaping to prevent shell metacharacters from being interpreted as commands. | LLM | scripts/raglite.sh:16 |
Scan History
Embed Code
[](https://skillshield.io/report/fc37eef303ce317c)
Powered by SkillShield