Trust Assessment
route received a trust score of 29/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: AI agent config, Unpinned `clawhub` dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/barneyjm/route/SKILL.md:41 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/barneyjm/route/SKILL.md:41 | |
| HIGH | Unencoded user input in URL query string The `build_query_string` function in `scripts/route.sh` constructs a URL query string by directly interpolating user-provided values (e.g., `start_lat`, `start_lon`, `mode`, `include_geometry`, `include_imagery`) extracted from the JSON input. These values are not URL-encoded before being added to the `QUERY_STRING`. A malicious user could inject arbitrary URL parameters by providing input like `{"start_lat": "123", "start_lon": "456&malicious_param=value"}`. This could lead to prompt injection against the remote API, potentially altering the API's behavior, bypassing intended restrictions, or even causing data exfiltration if the API reflects injected parameters in error messages or logs accessible to an attacker. While the `curl` command itself is quoted, preventing shell injection, the injection occurs at the HTTP request parameter level. URL-encode all user-provided values before interpolating them into the `QUERY_STRING`. This can be done using a utility function (e.g., `urlencode` if available, or a custom function) or by using `jq` to encode the values if the API supports JSON body for GET requests (less common) or if `jq` can be used to construct the URL-encoded string. For bash, a common approach is to use `printf %s "$value" | xxd -plain | sed 's/\(..\)/%\1/g'` for simple cases, or rely on a more robust `urlencode` function. | LLM | scripts/route.sh:46 | |
| MEDIUM | Unpinned `clawhub` dependency The installation instructions use `npx clawhub@latest install route`. Relying on `@latest` for `clawhub` means the skill's installation is dependent on the most recent version of the `clawhub` package. This introduces a supply chain risk as a malicious update to `clawhub` could compromise the installation process without explicit user consent or review. It is best practice to pin dependencies to a specific version or commit hash to ensure reproducibility and security. Pin the `clawhub` dependency to a specific version, e.g., `npx clawhub@1.2.3 install route`, or use a specific commit hash if installing directly from a repository. | LLM | SKILL.md:20 | |
| MEDIUM | Unpinned GitHub repository dependency The installation instructions recommend `npx skills add https://github.com/barneyjm/camino-skills`. This command pulls skills directly from the `main` branch (or default branch) of the specified GitHub repository without pinning to a specific commit, tag, or branch. This introduces a supply chain risk: if the `barneyjm/camino-skills` repository is compromised, malicious code could be injected into the skill package without the user's knowledge. It is best practice to reference specific, immutable versions of external dependencies. Modify the installation command to reference a specific commit hash or version tag of the GitHub repository, e.g., `npx skills add https://github.com/barneyjm/camino-skills#v1.0.0` or `npx skills add https://github.com/barneyjm/camino-skills#<commit_hash>`. | LLM | SKILL.md:14 |
Scan History
Embed Code
[](https://skillshield.io/report/7db51a083dd51968)
Powered by SkillShield