Trust Assessment
sabnzbd received a trust score of 57/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Sensitive environment variable access: $HOME, Arbitrary file upload leading to data exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/jmagar/sabnzbd/SKILL.md:8 | |
| HIGH | Arbitrary file upload leading to data exfiltration The `add-file` command in `scripts/sab-api.sh` allows a user to specify a local file path (`/path/to/file.nzb`) to be uploaded to the SABnzbd instance. The script directly uses this user-provided path in a `curl -F "name=@$filepath"` command without sanitization or validation. A malicious user can specify any file path accessible to the script (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, `~/.clawdbot/credentials/sabnzbd/config.json`) to exfiltrate its contents by uploading it to the SABnzbd server. Implement strict validation for the `filepath` argument in `cmd_add_file`. Only allow paths within a designated, sandboxed upload directory, or validate file extensions. Ensure the script runs with minimal necessary permissions to limit the impact of such an exploit. | LLM | scripts/sab-api.sh:170 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jmagar/sabnzbd/scripts/sab-api.sh:7 | |
| MEDIUM | URL parameter injection via unsanitized user input Several commands (e.g., `queue`, `history`, `add`, `purge`, `rename`, `speedlimit`, `change-category`, `change-script`, `change-priority`) construct API URLs by directly appending user-controlled values without proper URL encoding. If a user provides input containing URL-special characters like `&` or `=`, they can inject arbitrary parameters into the SABnzbd API call. This could lead to unexpected behavior, overriding legitimate parameters (e.g., `limit`, `mode`), or potentially triggering unintended actions if the API is sensitive to such injections. For example, `sab-api.sh queue --category "tv&mode=delete"` could potentially change the API call's mode. Ensure all user-supplied values that are appended to the URL as parameters are properly URL-encoded before being added. The `python3 -c "import urllib.parse; print(urllib.parse.quote('$value', safe=''))"` method used for the main URL in `cmd_add` is a good example of how to do this for all parameters. | LLM | scripts/sab-api.sh:48 |
Scan History
Embed Code
[](https://skillshield.io/report/605c8befb759ea9f)
Powered by SkillShield