Trust Assessment
skill-hub received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 29 findings: 13 critical, 14 high, 1 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Dangerous tool allowed: Bash.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings29
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-security-patterns.py:65 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-quick-check.py:30 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-quick-check.py:183 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-quick-check.py:190 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-search.py:44 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-search.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-security-patterns.py:22 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-security-patterns.py:23 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-status.py:33 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-vet.py:43 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-vet.py:129 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-security-patterns.py:15 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/phenixstar/skill-hub/scripts/skill-hub-security-patterns.py:16 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | skills/phenixstar/skill-hub/SKILL.md:1 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_gh'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-quick-check.py:30 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-quick-check.py:183 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-quick-check.py:190 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_installed_skills'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-search.py:44 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'search_clawhub_live'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-search.py:62 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_installed_skills'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-status.py:33 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_skill_path'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-vet.py:43 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_installed_skill_names'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-vet.py:129 | |
| HIGH | Unpinned Dependency Version The skill uses 'npx clawhub@latest' to execute the 'clawhub' CLI tool. Specifying '@latest' means the skill will always fetch and execute the newest version of 'clawhub' available at the time of invocation. This introduces a significant supply chain risk, as a malicious update to the 'clawhub' package could lead to arbitrary code execution within the skill's environment without any explicit action or review by the skill developer or user. It is best practice to pin dependencies to a specific version (e.g., 'clawhub@1.2.3') to ensure consistent and predictable behavior and to mitigate risks from unexpected or malicious updates. Pin the 'clawhub' dependency to a specific, known-good version (e.g., 'npx clawhub@1.2.3') instead of using '@latest'. Regularly review and manually update the pinned version after verifying its integrity and security. | LLM | scripts/skill-hub-search.py:40 | |
| HIGH | Unpinned Dependency Version The skill uses 'npx clawhub@latest' to execute the 'clawhub' CLI tool. Specifying '@latest' means the skill will always fetch and execute the newest version of 'clawhub' available at the time of invocation. This introduces a significant supply chain risk, as a malicious update to the 'clawhub' package could lead to arbitrary code execution within the skill's environment without any explicit action or review by the skill developer or user. It is best practice to pin dependencies to a specific version (e.g., 'clawhub@1.2.3') to ensure consistent and predictable behavior and to mitigate risks from unexpected or malicious updates. Pin the 'clawhub' dependency to a specific, known-good version (e.g., 'npx clawhub@1.2.3') instead of using '@latest'. Regularly review and manually update the pinned version after verifying its integrity and security. | LLM | scripts/skill-hub-search.py:60 | |
| HIGH | Unpinned Dependency Version The skill uses 'npx clawhub@latest' to execute the 'clawhub' CLI tool. Specifying '@latest' means the skill will always fetch and execute the newest version of 'clawhub' available at the time of invocation. This introduces a significant supply chain risk, as a malicious update to the 'clawhub' package could lead to arbitrary code execution within the skill's environment without any explicit action or review by the skill developer or user. It is best practice to pin dependencies to a specific version (e.g., 'clawhub@1.2.3') to ensure consistent and predictable behavior and to mitigate risks from unexpected or malicious updates. Pin the 'clawhub' dependency to a specific, known-good version (e.g., 'npx clawhub@1.2.3') instead of using '@latest'. Regularly review and manually update the pinned version after verifying its integrity and security. | LLM | scripts/skill-hub-status.py:29 | |
| HIGH | Unpinned Dependency Version The skill uses 'npx clawhub@latest' to execute the 'clawhub' CLI tool. Specifying '@latest' means the skill will always fetch and execute the newest version of 'clawhub' available at the time of invocation. This introduces a significant supply chain risk, as a malicious update to the 'clawhub' package could lead to arbitrary code execution within the skill's environment without any explicit action or review by the skill developer or user. It is best practice to pin dependencies to a specific version (e.g., 'clawhub@1.2.3') to ensure consistent and predictable behavior and to mitigate risks from unexpected or malicious updates. Pin the 'clawhub' dependency to a specific, known-good version (e.g., 'npx clawhub@1.2.3') instead of using '@latest'. Regularly review and manually update the pinned version after verifying its integrity and security. | LLM | scripts/skill-hub-vet.py:42 | |
| HIGH | Unpinned Dependency Version The skill uses 'npx clawhub@latest' to execute the 'clawhub' CLI tool. Specifying '@latest' means the skill will always fetch and execute the newest version of 'clawhub' available at the time of invocation. This introduces a significant supply chain risk, as a malicious update to the 'clawhub' package could lead to arbitrary code execution within the skill's environment without any explicit action or review by the skill developer or user. It is best practice to pin dependencies to a specific version (e.g., 'clawhub@1.2.3') to ensure consistent and predictable behavior and to mitigate risks from unexpected or malicious updates. Pin the 'clawhub' dependency to a specific, known-good version (e.g., 'npx clawhub@1.2.3') instead of using '@latest'. Regularly review and manually update the pinned version after verifying its integrity and security. | LLM | scripts/skill-hub-vet.py:109 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/phenixstar/skill-hub/scripts/skill-hub-sync.py:14 | |
| INFO | Broad Bash Permission Declared The skill declares 'Bash' as an allowed tool in its manifest. While the Python scripts use `subprocess.run` with a list of arguments, which is generally safer than `shell=True`, the 'Bash' permission grants the capability to execute arbitrary shell commands. Given the skill's purpose is to manage and vet other skills, including interacting with external CLI tools like 'gh' and 'npx clawhub', this permission might be necessary for its functionality. However, it's a powerful permission that should be used with caution and its usage should be carefully reviewed to ensure no user-controlled input can be directly injected into shell commands. Ensure all `subprocess.run` calls pass commands and arguments as a list of strings, avoiding `shell=True` or direct string interpolation into shell commands. If possible, consider if a more granular permission or a less powerful tool could achieve the same functionality. Document the necessity of this permission clearly. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/c4e6ceef4fd59d4a)
Powered by SkillShield