Trust Assessment
sage-wallet received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 6 critical, 1 high, 7 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Sensitive environment variable access: $HOME, jq command injection via user-controlled config keys/values.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/sage-wallet/scripts/sage-config.sh:48 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/sage-wallet/scripts/sage-config.sh:117 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/sage-wallet/scripts/sage-config.sh:168 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/sage-wallet/scripts/sage-rpc.sh:16 | |
| CRITICAL | jq command injection via user-controlled config keys/values The `get_config` and `set_config` functions in `scripts/sage-config.sh` construct `jq` commands by directly embedding user-provided `$key` and `$value` arguments. An attacker can inject arbitrary `jq` expressions, including those that execute shell commands (e.g., `$(command)`), leading to arbitrary command execution. This allows an attacker to read or write arbitrary files, or execute commands on the host system. Sanitize or strictly validate `$key` and `$value` before embedding them into `jq` commands. Alternatively, use a safer JSON parsing library or a more robust method for updating JSON files that doesn't involve direct string concatenation for `jq` expressions. For `set_config`, consider using `jq --arg key "$key" --arg value "$value" '.[$key] = $value'` and handle type conversions separately. For `get_config`, use `jq --arg key "$key" -r '.[$key] // empty'`. | LLM | scripts/sage-config.sh:60 | |
| CRITICAL | eval command injection via configuration values The `load_config` function in `scripts/sage-rpc.sh` uses `eval "$("$SCRIPT_DIR/sage-config.sh" resolve)"` to load configuration. The `resolve_config` function in `sage-config.sh` outputs shell variable assignments. If a malicious value (e.g., containing shell metacharacters or commands) is stored in the configuration file (potentially via the `jq` injection vulnerability), `eval` will execute these commands, leading to arbitrary command execution on the host system. Avoid using `eval` with untrusted or potentially tainted input. Instead of `eval`, parse the output of `sage-config.sh resolve` line by line and assign variables safely, or refactor `sage-config.sh` to output JSON that can be parsed by a safer method. | LLM | scripts/sage-rpc.sh:10 | |
| HIGH | curl argument injection via user-controlled RPC parameters The `sage_rpc` function constructs a `curl` command using several user-controlled variables (`rpc_url`, `endpoint`, `payload`, `cert_path`, `key_path`). Although these variables are double-quoted, if their *content* contains shell metacharacters or `curl` specific options (e.g., `--output`, `--upload-file`), an attacker could inject arbitrary `curl` arguments or even execute shell commands. This risk is amplified by the `jq` injection vulnerability which could allow an attacker to store malicious values in the config file, which are then used by `sage_rpc`. Implement strict validation and sanitization for all user-controlled inputs used in the `curl` command. For paths, ensure they are valid file paths and do not contain shell metacharacters or `curl` options. For URLs and endpoints, validate their format. Consider using a dedicated HTTP client library in a more robust language (e.g., Python) that handles argument escaping more safely, rather than directly constructing shell commands. | LLM | scripts/sage-rpc.sh:66 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/sage-wallet/scripts/test-config.sh:98 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/sage-wallet/scripts/test-config.sh:159 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/sage-wallet/scripts/test-rpc.sh:89 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/sage-wallet/scripts/test-rpc.sh:101 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/koba42corp/sage-wallet/scripts/sage-config.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/koba42corp/sage-wallet/scripts/sage-rpc.sh:17 | |
| MEDIUM | Sensitive credentials (SSL cert/key paths) stored in plain text config The skill stores paths to sensitive SSL certificates and private keys (`cert_path`, `key_path`) in a plain text JSON configuration file (`$HOME/.config/sage-wallet/config.json`). While these are paths and not the credentials themselves, an attacker with read access to this file can discover the location of these critical files. Combined with the command injection vulnerabilities, this could lead to exfiltration or misuse of the actual certificate and key files. Implement stronger protection for sensitive configuration data. Consider encrypting the configuration file or storing sensitive paths/values in a secure credential store (e.g., OS keyring, environment variables managed by a secure system) rather than plain text. Ensure the configuration file has restrictive file permissions. | LLM | SKILL.md:11 | |
| LOW | Skill requires broad filesystem access for sensitive operations The skill requires read/write access to the user's home directory for configuration (`$HOME/.config/sage-wallet`) and read access to potentially sensitive locations for SSL certificates and private keys (e.g., `~/Library/Application Support/com.rigidnetwork.sage/ssl/wallet.crt`). While necessary for its intended function, this broad access, especially when combined with the identified command injection vulnerabilities, increases the attack surface and potential impact of a compromise. Where possible, limit the skill's filesystem access to only the directories and files absolutely necessary for its operation. Ensure that sensitive files like configuration and keys have the most restrictive permissions possible. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/6873abe552989bc9)
Powered by SkillShield