Trust Assessment
skill-exporter received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 3 critical, 4 high, 0 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/macstenk/skill-exporter/scripts/export.py:376 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/macstenk/skill-exporter/scripts/export.py:75 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/macstenk/skill-exporter/scripts/export.py:122 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/macstenk/skill-exporter/scripts/export.py:75 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/macstenk/skill-exporter/scripts/export.py:122 | |
| HIGH | Prompt Injection in Generated LLM Client Code The `skill-exporter` generates LLM client code (`llm_client_anthropic.py`, `llm_client_openai.py`) that constructs prompts by directly embedding user-provided input (e.g., `prompt`, `system`, `topic`, `style`) into f-strings. If the API endpoints generated by `skill-exporter` expose these functions and pass untrusted user input directly to these parameters, an attacker could manipulate the underlying LLM's behavior, leading to prompt injection. This allows an attacker to override system instructions or extract sensitive information from the LLM's context. Implement robust input sanitization, escaping, or use structured prompting techniques (e.g., JSON mode, tool use) to separate user input from system instructions. For `system` prompts, ensure they are fixed or strictly controlled, not user-provided. Consider using LLM-specific prompt templating libraries that offer injection protection. | LLM | scripts/export.py:69 | |
| HIGH | Potential Command Injection via Subprocess Execution in Generated API The `skill-exporter` generates an `api.py` FastAPI wrapper that imports `subprocess` and `tempfile`. The stated purpose of the skill is to transform Clawdbot skills, which include `scripts/`, into microservices. It is highly probable that the generated API endpoints (represented by the `{endpoints}` placeholder) will execute these original skill scripts using `subprocess.run` or similar functions. If user-controlled input is passed directly as arguments to these subprocess calls without proper sanitization or shell argument escaping, it could lead to arbitrary command execution on the host system. The truncation of the `api.py` template prevents full analysis of the `{endpoints}` section, but the design pattern indicates a strong likelihood of this vulnerability. When executing external scripts or commands via `subprocess`, always use the list-form of arguments (e.g., `subprocess.run(['command', 'arg1', 'arg2'])`) and avoid `shell=True`. Ensure all user-provided inputs are strictly validated and sanitized before being passed as arguments. Consider using a whitelist of allowed commands and arguments. | LLM | scripts/export.py:30 | |
| LOW | Unpinned or Loosely Pinned Dependencies in Generated requirements.txt The `skill-exporter` generates a `requirements.txt` file that specifies dependencies using loose version constraints (e.g., `fastapi>=0.109.0`). While this allows for minor updates, it can lead to unexpected breaking changes or the introduction of new vulnerabilities if a major version update occurs or if a new vulnerability is discovered in a later version that is automatically pulled in. For production deployments, exact pinning (`==`) is generally recommended for reproducibility and security, as it ensures that the exact same dependency versions are installed every time. Pin all dependencies to exact versions (e.g., `fastapi==0.109.0`) to ensure reproducible builds and prevent unexpected changes or vulnerabilities from being introduced by automatic updates. Use a dependency management tool that supports lock files (e.g., `pip-tools` or `Poetry`) to manage transitive dependencies. | LLM | scripts/export.py:199 |
Scan History
Embed Code
[](https://skillshield.io/report/d572392eb77e202a)
Powered by SkillShield