Trust Assessment
researchvault received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 5 critical, 7 high, 7 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lraivisto/researchbrain/tests/test_smoke_cli.py:6 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/lraivisto/researchbrain/tests/test_mcp_server.py:12 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/lraivisto/researchbrain/tests/test_smoke_cli.py:18 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/lraivisto/researchbrain/tests/test_smoke_cli.py:60 | |
| CRITICAL | Arbitrary File Read via `vault_add_artifact` The `vault_add_artifact` tool exposed via the MCP server allows an agent to specify an arbitrary `path` to a local file. This path is then used by the `_read_text_file` function in `scripts/synthesis.py` to read the content of the file. This enables an attacker to read any file on the system that the skill's process has access to, leading to severe data exfiltration. Restrict the `path` argument in `vault_add_artifact` to a predefined, secure directory (e.g., a project-specific artifact directory) or implement strict path validation to prevent directory traversal and access to sensitive system files. Consider using a content-addressable storage system instead of direct file paths. | LLM | scripts/mcp_server.py:156 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/lraivisto/researchbrain/tests/test_mcp_server.py:12 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/lraivisto/researchbrain/tests/test_smoke_cli.py:18 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/lraivisto/researchbrain/tests/test_smoke_cli.py:60 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/lraivisto/researchbrain/tests/conftest.py:46 | |
| HIGH | Hidden network beacons / undisclosed telemetry DNS resolution call that could be used for data exfiltration Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/lraivisto/researchbrain/scripts/scuttle.py:35 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_cli'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/lraivisto/researchbrain/tests/test_smoke_cli.py:6 | |
| HIGH | Arbitrary File Write via `export` command The `vault.py` CLI's `export` command allows a user (or an agent executing the command) to specify an arbitrary `--output` file path. This means the entire contents of a research vault project, which can include sensitive findings, logs, and other data, can be written to any location on the filesystem accessible by the skill's process. This could lead to data exfiltration or overwriting of critical system files. Restrict the `--output` path to a designated, secure export directory. Implement strict path validation to prevent directory traversal attacks and ensure files are not written outside the intended scope. Consider requiring explicit user confirmation for exports to non-default locations. | LLM | scripts/vault.py:34 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/researchbrain/scripts/core.py:7 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/researchbrain/scripts/scuttle.py:5 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/researchbrain/scripts/scuttle.py:7 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/researchbrain/tests/test_grokipedia.py:2 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lraivisto/researchbrain/tests/test_youtube.py:2 | |
| MEDIUM | Unpinned Python dependency version Dependency 'requests>=2.32.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | skills/lraivisto/researchbrain/pyproject.toml | |
| MEDIUM | Potential SSRF via `WebScuttler` The `WebScuttler` in `scripts/scuttle.py` performs HTTP requests to arbitrary URLs provided by the agent. While `_ensure_safe_url` attempts to block private and loopback IP addresses, it's possible for an attacker to bypass these checks (e.g., via DNS rebinding, or by targeting internal services not on explicitly blocked IP ranges) to perform Server-Side Request Forgery (SSRF) attacks. This could lead to information disclosure from internal networks or interaction with internal services. Enhance the `_ensure_safe_url` function with more robust IP address validation, potentially including a whitelist of allowed domains or a more comprehensive blacklist of internal IP ranges. Consider running the skill in an isolated network environment if it requires arbitrary external network access. | LLM | scripts/scuttle.py:150 | |
| INFO | Loose Dependency Version Pinning The `pyproject.toml` file uses `>=` for dependency version pinning (e.g., `requests>=2.32.0`). While this allows for minor version updates and bug fixes, it means that new vulnerabilities introduced in a minor or patch version of a dependency could affect the skill without explicit review or testing. For security-sensitive applications, exact pinning (`==`) is often preferred to ensure deterministic builds and prevent unexpected changes. Consider using exact version pinning (`==`) for all production dependencies to ensure build reproducibility and prevent unexpected security regressions from upstream packages. Regularly audit and update dependencies to incorporate security fixes. | LLM | pyproject.toml:7 |
Scan History
Embed Code
[](https://skillshield.io/report/9fc1d9ff21bafb99)
Powered by SkillShield