Trust Assessment
reachy-mini received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 4 critical, 4 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Remote code execution: curl/wget pipe to shell, Weak default SSH password for robot access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/afalk42/reachy-mini/SKILL.md:228 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/afalk42/reachy-mini/SKILL.md:231 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/afalk42/reachy-mini/scripts/reachy-react.sh:32 | |
| CRITICAL | Remote command injection via `snap` command arguments The `snap` command in `reachy.sh` executes a Python script on the remote robot via SSH. The `REMOTE_OUTPUT` variable, which is derived from user input (`OUTPUT`), is directly interpolated into the `ssh_cmd` string without proper sanitization or quoting. An attacker can inject arbitrary shell commands into `OUTPUT` (e.g., `'; rm -rf /'`) which will be executed on the remote robot with the privileges of the SSH user (defaulting to `pollen` with `root` password). Ensure all user-provided arguments passed to `ssh_cmd` are properly sanitized or quoted to prevent shell metacharacter interpretation. A safer approach would be to pass arguments as separate parameters to `ssh` (e.g., `ssh ... python3 "${REMOTE_SCRIPT}" "${REMOTE_OUTPUT}" "${PRODUCER_ID}"`) or use a more robust remote execution mechanism that doesn't rely on shell interpolation. | LLM | scripts/reachy.sh:300 | |
| HIGH | Weak default SSH password for robot access The skill's `reachy.sh` script uses `REACHY_SSH_PASS` for SSH access to the robot, which defaults to `root`. This is a highly insecure default password, making the robot vulnerable to unauthorized access. While not directly 'harvesting' credentials from the user, it exposes a weak default that could be exploited by anyone with access to the skill or the robot's network. Change the default `REACHY_SSH_PASS` to a strong, randomly generated password or, preferably, remove the default and require the user to explicitly set it. Encourage the use of SSH keys instead of passwords for better security. | LLM | scripts/reachy.sh:109 | |
| HIGH | Local arbitrary file overwrite/data exfiltration via `snap` command output path The `snap` command in `reachy.sh` allows the user to specify an arbitrary local `OUTPUT` path for the captured image. This path is then used directly in `scp_from "${REMOTE_OUTPUT}" "${OUTPUT}"`. An attacker can provide a path like `../../../../etc/passwd` to overwrite sensitive local files or specify a path to exfiltrate data to an unexpected location on the local system. Restrict the `OUTPUT` path to a safe directory (e.g., `/tmp/`) or validate it rigorously to prevent path traversal attacks. Ensure that the `scp_from` command is used with proper quoting for both source and destination paths. | LLM | scripts/reachy.sh:305 | |
| HIGH | Local command injection via `raw` command `PATH` and `BODY` arguments The `raw` command in `reachy.sh` allows direct API calls using `curl`. The `PATH` and `BODY` arguments are directly interpolated into the `curl` command string. If these arguments contain shell metacharacters (e.g., `$(command)` or `'; malicious_command'`), they could be executed on the local system where `reachy.sh` is run. Properly quote or sanitize `PATH` and `BODY` variables when constructing the `curl` command to prevent shell metacharacter interpretation. For example, use `curl ... --url "${BASE}${path}?${query}"` and `curl ... -d "${body}"` to ensure the values are treated as literal strings by the shell. | LLM | scripts/reachy.sh:350 | |
| HIGH | Skill requires SSH access with root privileges on the robot The `SKILL.md` explicitly states that the `snap` command requires SSH access and that the `REACHY_SSH_PASS` environment variable defaults to `root`. This indicates that the skill is designed to operate with root privileges on the target robot, which is an excessive level of permission for its stated functionality (robot control and snapshots). This significantly increases the impact of any command injection vulnerabilities. Configure the robot with a dedicated, unprivileged user account for skill operations. Ensure this user has only the minimum necessary permissions to perform its tasks. Avoid using `root` for routine operations. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/5b16c9ffdceedbd5)
Powered by SkillShield