Trust Assessment
raindrop received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via Unsanitized User Input in JSON Payload, Command Injection via Unsanitized Delay Parameter in `bc`, Potential Command Injection/Data Exfiltration via Sourcing User-Controlled Environment File.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Unsanitized User Input in JSON Payload The `raindrop.sh` script constructs JSON payloads for `curl -d` by directly embedding user-provided arguments without proper escaping. This allows an attacker to inject arbitrary shell commands by crafting malicious input that breaks out of the JSON string and executes shell code. This vulnerability is present in multiple commands:
1. `create-collection NAME`: The `NAME` argument is directly inserted into the JSON title field.
2. `add URL [COLLECTION_ID]`: The `URL` and `COLLECTION_ID` arguments are directly inserted into the JSON link and collectionId fields.
3. `bulk-move IDS TARGET [SOURCE]`: The `IDS` (comma-separated list) and `TARGET_COLLECTION` arguments are directly inserted into the JSON array and collectionId fields.
4. `suggest URL`: The `URL` argument is directly inserted into the JSON link field.
An example exploit for `create-collection` would be providing a name like `"foo"; rm -rf /; echo "` which would result in the `rm -rf /` command being executed. Sanitize all user-provided strings before embedding them into JSON payloads. For shell scripts, this typically involves using a tool like `jq` with `--arg` to construct the JSON, or a custom function to escape special characters (e.g., double quotes, backslashes) that could break the JSON string or shell quoting. For example, instead of `"{\"title\":\"$name\"}"`, use `jq -nc --arg name "$name" '{"title": $name}'` to generate the JSON payload safely. | LLM | scripts/raindrop.sh:100 | |
| HIGH | Command Injection via Unsanitized Delay Parameter in `bc` The `rate_limit` function uses the `bc` command to perform floating-point arithmetic on the `$DELAY` variable, which is derived from user input (`--delay MS`). If `$DELAY` contains shell metacharacters or commands, it can lead to command injection. For example, if `$DELAY` is `100; malicious_command`, the `bc` command would execute `100; malicious_command/1000`, leading to the execution of `malicious_command`. Validate and sanitize the `$DELAY` variable to ensure it contains only numeric values before passing it to `bc`. A simple check like `[[ "$DELAY" =~ ^[0-9]+$ ]]` can prevent non-numeric input. Alternatively, use `printf` with `%f` or a similar method to ensure numeric interpretation. | LLM | scripts/raindrop.sh:60 | |
| MEDIUM | Potential Command Injection/Data Exfiltration via Sourcing User-Controlled Environment File The script attempts to load the `RAINDROP_TOKEN` from `~/.config/raindrop.env` using the `source` command if the token is not already set. While the `SKILL.md` instructs the user to create this file with a benign token assignment, the `source` command executes arbitrary shell code present in the file. If an attacker can manipulate the contents of `~/.config/raindrop.env` (e.g., through a separate vulnerability or social engineering), they could inject and execute arbitrary commands or exfiltrate data when the skill is run. Avoid using `source` on user-controlled files for sensitive configurations. Instead, parse the file explicitly for expected key-value pairs, ensuring that only the intended variables are read and no arbitrary code is executed. For example, use `grep` and `cut` to extract the token value, or a dedicated configuration parsing library if available. | LLM | scripts/raindrop.sh:16 |
Scan History
Embed Code
[](https://skillshield.io/report/97bf3456aa0a136b)
Powered by SkillShield