Trust Assessment
rlm received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Unpinned external dependencies and code downloads, OpenRouter API key exposed to unpinned external code.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external dependencies and code downloads The skill installation process relies heavily on external code fetched without specific version pinning. This includes `npm install -g mcporter`, `git clone` of `https://github.com/alexzhang13/rlm.git` (no commit hash), `curl` downloads of multiple files from `https://raw.githubusercontent.com/eesb99/rlm-mcp/main/` (no versioning), and `pip install` of `mcp` and `litellm` (and potentially dependencies in `requirements.txt`). This makes the skill vulnerable to supply chain attacks if any of these upstream repositories or packages are compromised or introduce breaking/malicious changes. Pin all external dependencies to specific versions (e.g., commit hashes for git clones, specific package versions for npm/pip, checksums for curl downloads) to ensure integrity and prevent unexpected changes. | LLM | SKILL.md:30 | |
| HIGH | OpenRouter API key exposed to unpinned external code The skill requires the `OPENROUTER_API_KEY` to be set as an environment variable, which is then passed to the RLM server via `run_server.sh`. The RLM server code (`server.py`, `run_server.sh`, `requirements.txt`) is downloaded from unpinned external GitHub repositories (`eesb99/rlm-mcp`). A malicious update to these external repositories could lead to the exfiltration of the `OPENROUTER_API_KEY`, compromising the user's OpenRouter account. Pin all external dependencies to specific versions to ensure the integrity of the code handling sensitive credentials. Implement robust sandboxing for the RLM server to prevent network access or file system access beyond what is strictly necessary for its operation. | LLM | SKILL.md:88 | |
| HIGH | Skill enables arbitrary Python code execution with unknown sandbox security The core functionality of the RLM skill is to generate and execute arbitrary Python code based on user input (`task` parameter). While the skill states 'Code executes in sandbox', the details of this sandbox's implementation and security guarantees are not provided within the skill package. If the sandbox is not sufficiently robust (e.g., allows network access, file system access, or escapes), a malicious user input could lead to arbitrary command injection and compromise of the host system where the RLM server is running. This represents a high-risk capability that requires a highly secure and auditable sandbox. Provide clear documentation and guarantees about the RLM server's sandbox security, including isolation mechanisms, network restrictions, and file system access controls. Ideally, the sandbox should be implemented using secure, well-vetted technologies (e.g., Docker, gVisor, secure Python sandboxing libraries) and its security posture should be auditable. | LLM | SKILL.md:15 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/eesb99/rlm/SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/2421445489e264df)
Powered by SkillShield