Trust Assessment
researchvault received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 19 findings: 5 critical, 6 high, 7 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings19
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lraivisto/research-mind/tests/test_smoke_cli.py:6 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/lraivisto/research-mind/tests/test_mcp_server.py:12 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/lraivisto/research-mind/tests/test_smoke_cli.py:18 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/lraivisto/research-mind/tests/test_smoke_cli.py:60 | |
| CRITICAL | Arbitrary File Read via Artifact Tool The `vault_add_artifact` tool, exposed via the MCP server, allows an agent to specify an arbitrary `path` argument. This path is then directly used by the `_read_text_file` function in `scripts/synthesis.py` to read the content of the specified file. A malicious prompt could instruct the agent to call this tool with paths to sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, `/proc/self/environ`), leading to data exfiltration. The content read from these files is then processed for embeddings and stored in the database, making it potentially retrievable through other skill functionalities. Implement strict validation and sanitization for the `path` argument in `vault_add_artifact` and `core.add_artifact`. Restrict file access to a designated, sandboxed directory for artifacts, or implement a robust allowlist/denylist for file types and locations. Avoid reading arbitrary file paths provided by untrusted input. | LLM | scripts/mcp_server.py:139 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/lraivisto/research-mind/tests/test_mcp_server.py:12 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/lraivisto/research-mind/tests/test_smoke_cli.py:18 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/lraivisto/research-mind/tests/test_smoke_cli.py:60 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/lraivisto/research-mind/tests/conftest.py:46 | |
| HIGH | Hidden network beacons / undisclosed telemetry DNS resolution call that could be used for data exfiltration Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/lraivisto/research-mind/scripts/scuttle.py:35 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_cli'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/lraivisto/research-mind/tests/test_smoke_cli.py:6 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/research-mind/scripts/core.py:7 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/research-mind/scripts/scuttle.py:5 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/research-mind/scripts/scuttle.py:7 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/research-mind/tests/test_grokipedia.py:2 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/research-mind/tests/test_youtube.py:2 | |
| MEDIUM | Unpinned Python dependency version Dependency 'requests>=2.32.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | skills/lraivisto/research-mind/pyproject.toml | |
| MEDIUM | Unpinned Dependencies in pyproject.toml The `pyproject.toml` file specifies dependencies using loose version constraints (e.g., `requests>=2.32.0`). This means that future installations could pull in new major or minor versions of libraries without explicit review. While this allows for automatic updates, it also introduces a supply chain risk where a malicious or vulnerable version of a dependency could be introduced, potentially leading to unexpected behavior or security vulnerabilities. Pin dependencies to exact versions (e.g., `requests==2.32.0`) or use more restrictive version specifiers (e.g., `requests~=2.32.0` for minor version bumps) to ensure reproducible builds and reduce the risk of unexpected changes from upstream packages. Regularly review and update pinned dependencies. | LLM | pyproject.toml:9 | |
| INFO | Database Path Configurable via Environment Variable The database path for ResearchVault can be overridden by the `RESEARCHVAULT_DB` environment variable. While this provides flexibility for deployment and testing, if the environment running the skill is compromised, an attacker could potentially redirect the database to a location they control. This could lead to data exfiltration (by pointing to a network share or attacker-controlled storage) or data corruption/tampering. Ensure that the execution environment for the skill is secured and that environment variables cannot be arbitrarily set by untrusted sources. If the skill is deployed in a multi-tenant or less trusted environment, consider restricting the ability to override critical paths via environment variables or implementing additional validation for such paths. | LLM | scripts/db.py:7 |
Scan History
Embed Code
[](https://skillshield.io/report/6d82edd22a22b722)
Powered by SkillShield