Trust Assessment
relay-to-agent received a trust score of 60/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, API Key and Data Exfiltration via RELAY_BASE_URL Environment Variable, Arbitrary File Read via RELAY_CONFIG Environment Variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | API Key and Data Exfiltration via RELAY_BASE_URL Environment Variable The skill allows overriding the `baseUrl` for the OpenAI-compatible API client via the `RELAY_BASE_URL` environment variable. If an attacker can control this environment variable, they can redirect all API requests, including the `RELAY_API_KEY` and user messages, to a server under their control. This constitutes a direct credential harvesting and data exfiltration vector, as the API key is sent to an untrusted endpoint. Implement strict validation for `RELAY_BASE_URL` to ensure it points to a trusted domain or a predefined list of allowed endpoints. Alternatively, remove the ability to override `baseUrl` via environment variable if not strictly necessary, or ensure the environment where the skill runs is highly secured against arbitrary environment variable injection. | LLM | scripts/relay.mjs:166 | |
| MEDIUM | Unpinned npm dependency version Dependency 'openai-fetch' is not pinned to an exact version ('^3.4.2'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ericsantos/relay-to-agent/package.json | |
| MEDIUM | Arbitrary File Read via RELAY_CONFIG Environment Variable The `RELAY_CONFIG` environment variable allows specifying an arbitrary path for the `agents.json` configuration file. The `loadConfig` function then uses `readFileSync` to read the content of this path. While the script attempts to parse the content as JSON, an attacker controlling `RELAY_CONFIG` could point it to any file on the system, leading to an arbitrary file read vulnerability. Although the content is not directly outputted unless it's valid JSON and requested via `--json` for agents, the file content is read into memory, which could be a stepping stone for other attacks or a privacy violation. Restrict `RELAY_CONFIG` to paths within the skill's own directory or a designated secure configuration directory. If arbitrary paths are necessary, implement robust validation to ensure the path is safe and does not point to sensitive system files. Consider using a more secure configuration management approach. | LLM | scripts/relay.mjs:14 |
Scan History
Embed Code
[](https://skillshield.io/report/421e851f266541c3)
Powered by SkillShield