Trust Assessment
raglite received a trust score of 14/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned Git dependency allows arbitrary code execution, Potential command injection via user-supplied query to ripgrep.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/virajsanghvi1/virajsanghvi1-raglite/SKILL.md:38 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/virajsanghvi1/virajsanghvi1-raglite/SKILL.md:64 | |
| HIGH | Unpinned Git dependency allows arbitrary code execution The `scripts/install.sh` script installs the `raglite` package directly from the `main` branch of a GitHub repository (`git+https://github.com/VirajSanghvi1/raglite.git@main`). This means that any changes pushed to the `main` branch by the repository maintainers (or an attacker who compromises the repository) will be automatically installed and executed the next time the skill is installed or updated. This bypasses explicit version control and allows for arbitrary code injection into the skill's environment without user review. Pin the dependency to a specific commit hash or a version tag (e.g., `git+https://github.com/VirajSanghvi1/raglite.git@v1.0.0` or `git+https://github.com/VirajSanghvi1/raglite.git@<commit_hash>`). Regularly review and update the pinned version to ensure security and stability. | LLM | scripts/install.sh:15 | |
| HIGH | Potential command injection via user-supplied query to ripgrep The skill's `SKILL.md` explicitly states that `ripgrep` (`rg`) is used for keyword search, and the `scripts/raglite.sh` script passes user-supplied arguments (including query strings) directly to the `raglite` Python application. If the `raglite` application constructs a shell command to invoke `rg` using these user-supplied query strings without proper sanitization or escaping (e.g., by using `subprocess.run(..., shell=True)` or `os.system()`), an attacker could inject arbitrary shell commands. For example, a query like `"my query"; rm -rf /` could lead to data loss or further system compromise. The `raglite` application (which is invoked by this script) must ensure that any user-supplied input passed to external commands like `ripgrep` is properly sanitized and escaped. Ideally, external commands should be invoked using `subprocess.run()` with `shell=False` and passing arguments as a list, rather than a single string. If `shell=True` is unavoidable, robust input validation and escaping are critical. | LLM | scripts/raglite.sh:20 |
Scan History
Embed Code
[](https://skillshield.io/report/d682d020a04c61a6)
Powered by SkillShield