Trust Assessment
smalltalk received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 6 critical, 7 high, 1 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnmci/smalltalk/smalltalk.py:137 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnmci/smalltalk/smalltalk.py:240 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnmci/smalltalk/smalltalk.py:249 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnmci/smalltalk/smalltalk.py:263 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/johnmci/smalltalk/smalltalk.py:247 | |
| CRITICAL | Arbitrary Command Execution via VM/Image Path The `smalltalk-daemon.py` and `smalltalk-dev-daemon.py` scripts construct subprocess commands using `SQUEAK_VM_PATH` and `SQUEAK_IMAGE_PATH` environment variables (or `--vm`/`--image` CLI arguments for the dev daemon). If an attacker can control these environment variables or CLI arguments, they can inject arbitrary commands to be executed on the host system. For example, setting `SQUEAK_VM_PATH` to a malicious executable or script would cause `xvfb-run` to execute it. Sanitize or strictly validate `SQUEAK_VM_PATH` and `SQUEAK_IMAGE_PATH` (and corresponding CLI arguments) to ensure they point only to trusted executables and image files. Consider using a whitelist of allowed VM paths or verifying file integrity. Avoid directly using user-controlled paths as executable names. | LLM | smalltalk-daemon.py:105 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/johnmci/smalltalk/smalltalk.py:247 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'debug_squeak'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnmci/smalltalk/smalltalk.py:240 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'debug_squeak'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnmci/smalltalk/smalltalk.py:249 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'start'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnmci/smalltalk/smalltalk.py:137 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'debug_squeak'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnmci/smalltalk/smalltalk.py:263 | |
| HIGH | Environment Variable Exposure to Smalltalk VM The `smalltalk-daemon.py` and `smalltalk-dev-daemon.py` scripts pass a copy of the entire `os.environ` to the Squeak VM subprocess. This means all environment variables, including potentially sensitive API keys like `ANTHROPIC_API_KEY` and `OPENAI_API_KEY`, are exposed to the Smalltalk VM. If malicious Smalltalk code is executed within the VM (e.g., via prompt injection or direct evaluation), it could potentially read and exfiltrate these sensitive credentials. Filter the environment variables passed to the subprocess to include only those strictly necessary for the Squeak VM's operation. Avoid passing `os.environ.copy()` directly. Explicitly pass only required variables or use a mechanism to securely provide credentials to the VM without exposing them globally. | LLM | smalltalk-daemon.py:110 | |
| HIGH | Prompt Injection Leading to Smalltalk Code Execution The `generate-sunit` command in `smalltalk.py` uses an LLM to generate Smalltalk code based on user input (e.g., method selectors). This generated code is then executed directly within the Smalltalk VM. If an attacker can craft malicious input that manipulates the LLM's internal prompt, they could cause the LLM to generate arbitrary Smalltalk code, leading to code execution within the VM. This is a direct prompt injection vulnerability with a high impact. Implement robust input sanitization and validation for user-provided arguments to `generate-sunit`. Consider using a strict allowlist for method/class names. Additionally, implement output validation on the LLM-generated Smalltalk code to ensure it adheres to safety policies before execution. Consider sandboxing the Smalltalk VM or running it with minimal privileges. | LLM | SKILL.md:140 | |
| MEDIUM | Path Traversal in Project Creation The `create_project` function in `smalltalk_projects.py` constructs project directories using user-provided `name` without sufficient sanitization. If `name` contains path traversal sequences (e.g., `../`, `../../`), an attacker could create directories and copy files outside the intended `~/smalltalk-projects` directory, potentially overwriting or creating files in arbitrary locations on the filesystem. Sanitize the `name` argument to prevent path traversal. Ensure that `name` only contains valid characters for a directory name and does not include path separators or traversal sequences. For example, use `os.path.basename(name)` or a regular expression to validate the input. | LLM | smalltalk_projects.py:84 |
Scan History
Embed Code
[](https://skillshield.io/report/fbf9b45bdb2d2e6b)
Powered by SkillShield