Trust Assessment
raysurfer received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 6 critical, 3 high, 3 medium, and 0 low severity. Key findings include Dangerous tool allowed: Bash, Suspicious import: urllib.request, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/ryx2/raysurfer/search.sh:4 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/ryx2/raysurfer/upload.sh:6 | |
| CRITICAL | Shell command injection via unescaped task argument in search.sh The `search.sh` script directly interpolates the user-provided `$TASK` variable into the `curl -d` argument without proper shell or JSON escaping. This allows an attacker to inject arbitrary shell commands or manipulate the JSON payload by crafting the `task` argument. For example, `bash search.sh 'foo", "evil": "$(id)"}'` would execute the `id` command and embed its output into the JSON sent to the API. Use `jq` or `python -c 'import json,sys; print(json.dumps(sys.argv[1]))'` to properly escape the `$TASK` variable before embedding it into the JSON string, or use a safer method to construct the JSON payload. For example, `TASK_JSON=$(jq -n --arg task "$TASK" '{"task": $task, "top_k": 5, "min_verdict_score": 0.3}')` and then `-d "$TASK_JSON"`. | LLM | search.sh:5 | |
| CRITICAL | Shell command injection via unescaped task argument in upload.sh Similar to `search.sh`, the `upload.sh` script directly interpolates the user-provided `$TASK` variable into the `curl -d` argument without proper shell or JSON escaping. This allows an attacker to inject arbitrary shell commands or manipulate the JSON payload by crafting the `task` argument. Use `jq` or `python -c 'import json,sys; print(json.dumps(sys.argv[1]))'` to properly escape the `$TASK` variable before embedding it into the JSON string. | LLM | upload.sh:6 | |
| CRITICAL | Shell command injection and data exfiltration via unescaped filepath in upload.sh The `upload.sh` script uses the user-provided `$FILE` variable directly in `cat "$FILE"` and `basename "$FILE"`. This allows for shell command injection if `$FILE` contains metacharacters (e.g., `"; rm -rf /"`). Furthermore, `cat "$FILE"` reads the content of any specified file, which is then uploaded to the remote API. This constitutes a severe data exfiltration vulnerability, allowing an attacker to read and upload sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) from the agent's environment. Ensure `$FILE` is properly sanitized before use in shell commands. For reading file content, consider using a safer method that doesn't involve direct shell execution of `cat` with an unvalidated path, or strictly validate the `filepath` argument. For `basename`, ensure the input is sanitized. A more robust approach would be to pass the file content directly to the script via stdin or use a dedicated file reading utility that handles paths securely. | LLM | upload.sh:4 | |
| CRITICAL | Direct instruction for LLM to use unvalidated $ARGUMENTS The `SKILL.md` explicitly instructs the LLM to use `$ARGUMENTS` directly ("When `$ARGUMENTS` is provided, use it as: `$ARGUMENTS`"). If the LLM constructs a shell command or other execution context using this unvalidated input, it creates a direct path for prompt injection (manipulating the LLM's subsequent actions) and command injection (executing arbitrary shell commands). This instruction overrides any implicit sanitization the LLM might otherwise perform. Remove the instruction to use `$ARGUMENTS` directly. Instead, instruct the LLM to parse and validate arguments, or use specific, parameterized functions/tools that handle argument sanitization internally. The skill should define how arguments are to be passed to the underlying scripts (e.g., `search.sh "$ARGUMENTS"`), and the scripts themselves should handle sanitization. | LLM | SKILL.md:107 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | skills/ryx2/raysurfer/SKILL.md:1 | |
| HIGH | Data exfiltration via arbitrary file upload in upload.py The `upload.py` script takes a `filepath` argument (`sys.argv[2]`) and reads its content using `open(filepath).read()`, then uploads this content to the Raysurfer API. While this is the intended functionality of an 'upload' skill, the lack of validation or restriction on `filepath` means the LLM could be prompted to upload sensitive files (e.g., `/etc/passwd`, configuration files, private keys) from the agent's environment, leading to data exfiltration. The skill has `Read` permission, which facilitates this. Implement strict validation and sanitization of the `filepath` argument. Restrict file uploads to specific directories or file types, or require explicit user confirmation for sensitive paths. Consider using a more secure file handling mechanism that limits access. | LLM | upload.py:5 | |
| HIGH | Data exfiltration via arbitrary file upload in upload.ts The `upload.ts` script takes a `filepath` argument (`process.argv[3]`) and reads its content using `readFileSync(filepath, "utf-8")`, then uploads this content to the Raysurfer API. Similar to `upload.py`, the lack of validation or restriction on `filepath` means the LLM could be prompted to upload sensitive files from the agent's environment, leading to data exfiltration. The skill has `Read` permission, which facilitates this. Implement strict validation and sanitization of the `filepath` argument. Restrict file uploads to specific directories or file types, or require explicit user confirmation for sensitive paths. | LLM | upload.ts:7 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ryx2/raysurfer/search.py:3 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ryx2/raysurfer/upload.py:3 | |
| MEDIUM | Broad Bash and filesystem permissions The skill declares `Bash`, `Read`, `Write`, `Edit`, and `Glob` permissions. While the skill's functionality (managing code, executing scripts) requires some of these, the combination, especially `Bash` with broad filesystem access, creates a large attack surface. The `Bash` tool allows arbitrary shell command execution, which, when combined with the ability to read/write any file, can lead to severe compromise if the LLM is prompted maliciously or if there are vulnerabilities in the skill's scripts (as identified in other findings). Review if all these permissions are strictly necessary. If `Bash` is required, ensure all commands executed via `Bash` are thoroughly sanitized and restricted. Consider using more granular permissions or sandboxing mechanisms if available. For example, if only specific files need to be read/written, restrict access to those paths. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/e7ee190fb745d0a9)
Powered by SkillShield