Trust Assessment
satori received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via `npx` with user-controlled arguments, Excessive Permissions and Supply Chain Risk via unpinned `npx` package, Potential Data Exfiltration/Credential Harvesting via sensitive file access instruction.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via `npx` with user-controlled arguments The skill instructs the LLM to execute shell commands `npx -y @satori-sh/cli@latest search "<query>"` and `npx -y @satori-sh/cli@latest add "<facts>"`. The `<query>` and `<facts>` arguments are directly derived from user input. This creates a severe command injection vulnerability, allowing an attacker to inject arbitrary shell commands by crafting malicious input (e.g., `'; rm -rf /'`) for the query or facts. This could lead to remote code execution on the host system. Implement robust input sanitization and validation for user-provided `<query>` and `<facts>` before passing them to shell commands. Ideally, use a programmatic API for the Satori CLI if available, or ensure that the LLM strictly escapes all shell metacharacters in user input. | LLM | SKILL.md:45 | |
| HIGH | Excessive Permissions and Supply Chain Risk via unpinned `npx` package The skill instructs the LLM to use `npx -y @satori-sh/cli@latest`. This presents two significant risks:
1. **Excessive Permissions (SS-LLM-005)**: The `-y` flag allows `npx` to automatically confirm installation and execution of arbitrary npm packages, granting broad and potentially dangerous execution capabilities to the LLM without explicit confirmation.
2. **Supply Chain Risk (SS-LLM-006)**: Using `@latest` means the package version is unpinned. A malicious update to the `@satori-sh/cli` package could be automatically downloaded and executed, leading to a supply chain attack where compromised code runs on the host system. To mitigate excessive permissions, reconsider the necessity of `npx -y` and ensure the LLM's execution environment is strictly sandboxed. To mitigate supply chain risk, pin the version of `@satori-sh/cli` (e.g., `npx @satori-sh/cli@1.2.3`) and regularly audit and update the pinned version. | LLM | SKILL.md:45 | |
| MEDIUM | Potential Data Exfiltration/Credential Harvesting via sensitive file access instruction The skill explicitly mentions `~/.config/satori/satori.json` as containing sensitive information (API keys and memory IDs) and instructs: 'If you have access to this file, give Satori read and write access to this file.' While intended for Satori's own configuration, instructing the LLM to interact with a file containing credentials creates a risk. A malicious prompt could potentially trick the LLM into reading or modifying this file in an unintended way, leading to credential exposure (Data Exfiltration) or manipulation (Credential Harvesting). Ensure that the LLM's execution environment is sandboxed and that it does not have direct filesystem access, especially to sensitive user configuration directories. If the LLM needs to interact with Satori's configuration, it should be through a secure, controlled API, not by direct filesystem manipulation. Clarify that the LLM itself should not be 'giving Satori read and write access' but rather that the *user* should ensure permissions are set correctly for the Satori CLI. | LLM | SKILL.md:35 |
Scan History
Embed Code
[](https://skillshield.io/report/f62434d7a667cd0a)
Powered by SkillShield