Trust Assessment
recipe-to-list received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 7 critical, 6 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:647 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:929 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:963 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:984 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/borahm/recipe-to-list/scripts/recipe-to-list.sh:12 | |
| CRITICAL | Arbitrary file read and exfiltration via image path The `recipe_to_list.py` script takes an `image_path` as a command-line argument. This path is then used to read the file's content (`_read_bytes(image_path)`) and base64 encode it. The encoded content is subsequently sent to the Gemini API as part of the request payload. An attacker controlling the `image_path` argument (e.g., by providing `/etc/passwd` or `~/.ssh/id_rsa`) can cause the skill to read arbitrary files from the system and exfiltrate their content to the Gemini API. Implement strict validation for `image_path` to ensure it points to a file within an expected, non-sensitive directory (e.g., a temporary upload directory) and does not contain path traversal sequences. Alternatively, use a file picker or restrict input to URLs. | LLM | scripts/recipe_to_list.py:204 | |
| CRITICAL | Arbitrary code execution and environment variable manipulation via .env file sourcing The `recipe-to-list.sh` script unconditionally sources `~/.clawdbot/.env`. If an attacker can write to or modify this file (e.g., by exploiting another vulnerability or if the file permissions are insecure), they can inject arbitrary shell commands that will be executed by the skill. Additionally, `set -a` ensures all variables defined in the `.env` file are exported, potentially allowing an attacker to manipulate environment variables for subsequent processes. Avoid sourcing user-writable configuration files directly. If environment variables are needed, consider passing them explicitly or using a more secure configuration management system. Ensure that any configuration files are not writable by unprivileged users. | LLM | scripts/recipe-to-list.sh:9 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_existing_project_tasks'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:647 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_items_to_todoist'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:984 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_items_to_todoist'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:929 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_items_to_todoist'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:963 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/borahm/recipe-to-list/scripts/recipe-to-list.sh:12 | |
| HIGH | Arbitrary file write due to unsanitized Gemini output in file path construction The `_save_recipe` function constructs a markdown file path using a `slug` derived from the `title` provided by the Gemini API response. The Gemini API response is based on untrusted image content. If an attacker crafts an image that causes Gemini to return a `title` containing path traversal sequences (e.g., `../../../../tmp/malicious.md`), the skill could write arbitrary content (also from Gemini's output) to an arbitrary file on the system. This could lead to code injection if the written file is later executed or included. Sanitize the `title` (and `source` if used in path construction) to remove or escape any path traversal characters (e.g., `.` or `/`) before using it to form a file path. Restrict file writes to a dedicated, sandboxed directory and ensure the target directory is not writable by other processes that could interpret the written content as code. | LLM | scripts/recipe_to_list.py:240 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/borahm/recipe-to-list/scripts/recipe_to_list.py:24 | |
| MEDIUM | Potential command injection through unsanitized arguments to todoist CLI The `_add_todoist_task` function uses `subprocess.run` to execute the `todoist` CLI with arguments including `project_name` and `content` (the ingredient line). While `subprocess.run` with a list of arguments is generally safer than a shell string, if the `todoist` CLI itself has vulnerabilities in how it parses task content or project names, or if `content` (derived from untrusted Gemini output) contains shell metacharacters that are not properly escaped by the CLI, it could lead to command injection. Ensure that all arguments passed to external commands, especially those derived from untrusted input, are thoroughly sanitized or explicitly quoted to prevent misinterpretation by the target command-line tool. Review the `todoist` CLI documentation for best practices regarding untrusted input. | LLM | scripts/recipe_to_list.py:180 |
Scan History
Embed Code
[](https://skillshield.io/report/cc5814cfcaa28d06)
Powered by SkillShield