Trust Assessment
reachy-mini received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 4 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Remote code execution: curl/wget pipe to shell, Insecure SSH Password Handling and Default Root Credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/clawd/skills/reachy-mini/SKILL.md:228 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/clawd/skills/reachy-mini/SKILL.md:231 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/snail3d/clawd/skills/reachy-mini/scripts/reachy-react.sh:32 | |
| CRITICAL | Insecure SSH Password Handling and Default Root Credentials The skill uses `sshpass` to provide an SSH password, which defaults to `root`. `sshpass` exposes the password in plain text in the process list (`/proc/<pid>/cmdline`) and shell history, making it vulnerable to harvesting. Furthermore, using a default `root` password grants excessive, unconstrained privileges on the remote robot, posing a severe security risk. Eliminate the use of `sshpass` and plain-text passwords. Implement SSH key-based authentication. If passwords are unavoidable, enforce strong, non-default passwords and use a secure secrets management system or interactive prompting. Restrict the SSH user's privileges to the minimum necessary for the skill's operation. | LLM | scripts/reachy.sh:200 | |
| HIGH | Remote Command Injection via `ssh_cmd` Helper The `ssh_cmd` helper function directly passes all its arguments (`$@`) to the remote `ssh` command. If an untrusted input is ever passed as an argument to `ssh_cmd` (e.g., `ssh_cmd "malicious; command"`), it would be executed on the remote robot. While the current `snap` command's usage of `ssh_cmd` appears safe due to argument construction, the function itself is vulnerable and could be exploited by other parts of the skill or future modifications. When executing remote commands, ensure that all arguments are properly quoted and escaped to prevent shell metacharacter interpretation on the remote host. For simple commands, wrap the entire command string in single quotes: `ssh user@host 'command arg1 arg2'`. For more complex scenarios, consider using a dedicated SSH client library in Python or another language that handles argument escaping securely. | LLM | scripts/reachy.sh:203 | |
| MEDIUM | Arbitrary Robot API Access via `raw` Command The `reachy.sh raw` command allows making arbitrary GET or POST requests to any path on the robot's REST API with user-provided body content. While this is intended functionality for advanced users, it provides a powerful primitive that an LLM could potentially abuse to interact with the robot's API in unintended or malicious ways, especially if the API has unauthenticated or vulnerable endpoints. This broad access increases the attack surface. Implement stricter validation or whitelisting for paths and methods allowed via the `raw` command, if possible. Provide more granular tools for specific API interactions rather than a generic "raw" access. Ensure the robot's REST API itself is robustly secured against common web vulnerabilities. | LLM | scripts/reachy.sh:300 |
Scan History
Embed Code
[](https://skillshield.io/report/b4ffd2a36c95b091)
Powered by SkillShield