Trust Assessment
reachy-mini received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 6 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Remote code execution: curl/wget pipe to shell, Hardcoded Default SSH Credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/clawforgod/skills/reachy-mini/SKILL.md:228 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/clawforgod/skills/reachy-mini/SKILL.md:231 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/snail3d/clawforgod/skills/reachy-mini/scripts/reachy-react.sh:32 | |
| CRITICAL | Hardcoded Default SSH Credentials The `REACHY_SSH_PASS` environment variable defaults to 'root' if not explicitly set. This hardcoded default password for the 'pollen' user provides direct SSH access to the robot, which is a significant security risk. An attacker could leverage this to gain unauthorized control over the robot. Remove the hardcoded default password. Require users to explicitly set `REACHY_SSH_PASS` or, preferably, use SSH keys for authentication. Implement stronger authentication mechanisms and ensure default credentials are not used in production environments. | LLM | scripts/reachy.sh:106 | |
| CRITICAL | Command Injection via Unsanitized SSH/SCP Arguments The `ssh_cmd`, `scp_from`, and `scp_to` helper functions in `reachy.sh` directly pass arguments (`$@`) to `ssh` and `scp` without proper sanitization or quoting. This allows an attacker to inject arbitrary SSH/SCP command-line options or commands if they can control the arguments passed to these functions. For instance, the `snap` command uses `ssh_cmd` with user-controlled arguments, creating a direct path for remote command execution. Re-evaluate the need for direct SSH execution. If necessary, ensure all arguments passed to `ssh` and `scp` are strictly validated, properly quoted, and escaped to prevent injection. Consider using a more robust SSH library in Python or another language that handles argument escaping securely, or restrict the commands that can be executed via SSH to a predefined whitelist. | LLM | scripts/reachy.sh:108 | |
| CRITICAL | Arbitrary File Write on Robot via `snap` Command The `snap` command in `reachy.sh` allows a user to specify an arbitrary output path for the captured image on the robot. This path is passed directly to the `reachy-gst-snap.py` script, which then uses it in `img.save(OUTPUT, quality=85)`. Combined with the SSH access (potentially using hardcoded credentials), this allows an attacker to write arbitrary files to arbitrary locations on the robot's filesystem, potentially overwriting critical system files or injecting malicious scripts. Restrict the `OUTPUT` path for the `snap` command to a safe, predefined directory (e.g., `/tmp/snapshots/`) and sanitize the filename to prevent directory traversal (`../`). Do not allow arbitrary file paths to be specified by user input. | LLM | scripts/reachy.sh:240 | |
| HIGH | Excessive Permissions via `raw` API Command The `raw` command in `reachy.sh` allows direct access to the robot's REST API with arbitrary HTTP methods, paths, and JSON bodies. This grants the skill (and any entity controlling the skill's input) full, unauthenticated control over the robot's API. If the robot's API exposes sensitive endpoints for system configuration, firmware updates, or data access, this command provides a direct avenue for exploitation without any additional authorization checks. Implement granular access control for the `raw` command, or remove it if direct, unrestricted API access is not strictly necessary for the skill's intended functionality. If kept, restrict the allowed paths and methods to only those essential for the skill, and consider requiring additional authentication or authorization for sensitive API calls. | LLM | scripts/reachy.sh:260 | |
| MEDIUM | Potential Command Injection in `reachy-react.sh` via `doa-track` Output Parsing The `do_doa_track` function in `reachy-react.sh` parses JSON output from `"$REACHY" doa` using `python3 -c "..."`. While the Python script attempts to format the `yaw` value as a float (`f'{yaw:.3f}'`), if the `doa_json` input is malformed or contains unexpected characters that are not properly handled by the Python `json.load` or the subsequent string formatting, it could lead to injection into the `move --head 0,"${angle}",0` command. Although the current Python snippet appears robust for numerical output, this pattern of piping external, potentially untrusted data into a shell command via an intermediate script carries inherent risk. Ensure that the output of the Python script is strictly validated to be a floating-point number before being used in the `move` command. Consider using `printf %f` or similar bash-native numeric validation to explicitly cast and sanitize the value, or refactor to avoid piping potentially untrusted data directly into shell commands. | LLM | scripts/reachy-react.sh:204 |
Scan History
Embed Code
[](https://skillshield.io/report/d9c48799dc006d61)
Powered by SkillShield