Trust Assessment
shortcut received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 3 critical, 2 high, 3 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: Shell RC file modification, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/catwalksophie/shortcut/SKILL.md:24 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/catwalksophie/shortcut/scripts/shortcut-init-workflow.sh:51 | |
| CRITICAL | Command Injection via unsanitized Shortcut workflow names The `shortcut-init-workflow.sh` script generates a shell script file (`~/.config/shortcut/workflow-states`) by directly interpolating workflow names fetched from the Shortcut API into `export` statements. The sanitization (`ascii_upcase | gsub(" ", "_")`) is insufficient to prevent shell metacharacters from being executed. If a Shortcut workflow name contains malicious shell commands (e.g., `My Workflow"; rm -rf / #`), these commands will be executed when `workflow-states` is sourced by `shortcut-update-story.sh` or by a user's shell (e.g., `~/.bashrc`), leading to arbitrary command execution on the host system. Sanitize the workflow name (`.name`) more robustly before interpolating it into the `export` statement in `workflow-states`. Ensure that only safe characters (e.g., alphanumeric and underscores) are allowed, or properly escape all shell metacharacters using a function like `printf %q` for the variable value. | LLM | scripts/shortcut-init-workflow.sh:35 | |
| HIGH | Command Injection in `curl` URL paths due to unsanitized arguments Several scripts directly interpolate user-provided arguments (`story-id`, `comment-id`, `task-id`) into `curl` command URLs without proper shell escaping. Although these are expected to be numeric IDs, a malicious actor could inject shell metacharacters (e.g., `123; $(malicious_command)`) into these arguments. This would lead to arbitrary command execution on the host system. This vulnerability affects `shortcut-delete-comment.sh`, `shortcut-delete-task.sh`, `shortcut-edit-task.sh`, `shortcut-show-story.sh`, `shortcut-update-comment.sh`, and `shortcut-update-task.sh`. Always quote or properly escape user-provided arguments when they are used in shell commands, especially in URLs. For numeric IDs, validate that the input is strictly numeric before use. For example, use parameter expansion to strip non-numeric characters: `${STORY_ID//[^0-9]/}` or use `printf %q` for full shell escaping if non-numeric inputs are expected to be part of the path. | LLM | scripts/shortcut-delete-comment.sh:20 | |
| HIGH | JSON Injection via unsanitized description argument in `shortcut-update-story.sh` The `shortcut-update-story.sh` script constructs a JSON payload for the Shortcut API by directly interpolating the user-provided `--description` argument (`$2`) into a JSON string without proper escaping. If the description contains unescaped double quotes or other JSON-breaking characters (e.g., `", "malicious_key": "malicious_value"`), it can lead to malformed JSON or the injection of arbitrary JSON fields into the API request. This could allow an attacker to modify unintended story attributes or potentially bypass API restrictions. Properly escape the description argument (`$2`) before interpolating it into the JSON string. The `jq --arg` mechanism used in other scripts is the correct approach for this. For example, construct the payload using `jq -n --arg desc "$2" '{description: $desc}'` and then extract the key-value pair, or pass the description through `jq -R -s -c` to escape it before embedding. | LLM | scripts/shortcut-update-story.sh:56 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/catwalksophie/shortcut/SKILL.md:24 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/catwalksophie/shortcut/scripts/shortcut-init-workflow.sh:35 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/catwalksophie/shortcut/scripts/shortcut-init-workflow.sh:51 | |
| LOW | Plaintext API token storage on filesystem The skill's setup instructions and scripts recommend storing the `SHORTCUT_API_TOKEN` in a plaintext file (`~/.config/shortcut/api-token`) and sourcing it into environment variables. While common for local shell scripts, this practice exposes the API token to any process with read access to the file, increasing the risk of credential harvesting by other compromised applications or malicious local users. The skill itself does not exfiltrate the token, but its recommended usage pattern creates this vulnerability. Recommend using a secure secrets management solution (e.g., a credential manager, OS keyring, or environment variables managed by a secure system) instead of plaintext files. If plaintext files are necessary, emphasize strict file permissions (`chmod 600`) and educate users on the risks associated with local plaintext storage. | LLM | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/cf83e3d5247b9a86)
Powered by SkillShield