Trust Assessment
silverbullet received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 3 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Unsafe deserialization / dynamic eval, Sensitive path access: AI agent config.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/ramonitor/silverbullet-skill/SKILL.md:31 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/ramonitor/silverbullet-skill/SKILL.md:17 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/ramonitor/silverbullet-skill/SKILL.md:52 | |
| HIGH | User-provided content can be exfiltrated to arbitrary URLs The `write_page` and `append_to_page` tools send user-provided markdown `content` to a SilverBullet instance. The target URL for this instance is determined by the `base_url` argument passed to the tool or the `SILVERBULLET_URL` environment variable. If an attacker can manipulate `base_url` (e.g., by tricking the user into setting a malicious `SILVERBULLET_URL` or by injecting a malicious `base_url` argument into the tool call), any data provided to these tools could be exfiltrated to an arbitrary external server. 1. **Restrict `base_url`**: If possible, implement validation to restrict the `base_url` argument and `SILVERBULLET_URL` environment variable to only allow `localhost` or a predefined set of trusted domains. 2. **User Warning**: Clearly warn users about the risks of setting `SILVERBULLET_URL` to untrusted endpoints, as any data sent to the skill's `write_page` or `append_to_page` tools will be sent to that URL. 3. **Host-level validation**: The host environment (e.g., `mcporter`) should validate `SILVERBULLET_URL` to prevent it from pointing to external, untrusted domains. | LLM | server.py:134 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ramonitor/silverbullet-skill/server.py:5 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/ramonitor/silverbullet-skill/SKILL.md:31 | |
| MEDIUM | Unpinned Python dependency version Dependency 'mcp[cli]>=1.2.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | skills/ramonitor/silverbullet-skill/pyproject.toml |
Scan History
Embed Code
[](https://skillshield.io/report/e93fe14e2fba16e8)
Powered by SkillShield