Trust Assessment
smart-router received a trust score of 24/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 0 critical, 4 high, 3 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Command Injection via sessions_spawn task parameter, Excessive Permissions via Configurable File Paths.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/c0nspic0us7urk3r/smart-router/executor.py:177 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/c0nspic0us7urk3r/smart-router/executor.py:390 | |
| HIGH | Command Injection via sessions_spawn task parameter The `executor.py` file constructs a `sessions_spawn` tool call where the `task` parameter is directly derived from user input (`self.spawn_params['task']`). Although the input is truncated to 100 characters, this still presents a significant command injection vulnerability if the host LLM or the `sessions_spawn` tool itself is not robustly designed to sanitize or escape malicious input within its arguments. An attacker could craft a message that, when passed as a task, executes unintended commands or manipulates the behavior of the delegated agent. Implement strict input validation and sanitization for all parameters passed to `sessions_spawn`, especially the `task` argument. Ensure that the `sessions_spawn` tool itself and any agents receiving these tasks are designed with robust defenses against command and prompt injection. Consider using a more structured data format for tasks instead of raw strings if possible, or ensure all string inputs are properly escaped for the target execution environment. | LLM | executor.py:80 | |
| HIGH | Excessive Permissions via Configurable File Paths The skill allows configuration of critical file system paths (e.g., `ROUTER_STATE_DIR`, `ROUTER_LOGS_DIR`) via environment variables or the `router_config.json` file. If an attacker can control these environment variables or inject a malicious `router_config.json` (e.g., by placing it in a search path like `Path.cwd()` which `router_hook.py` checks), they could direct the skill to read, write, or delete files in arbitrary locations on the filesystem, leading to data tampering, data exfiltration, or denial of service. Restrict the ability to configure sensitive file paths to trusted sources only. If environment variables or configuration files are used, ensure they are protected from unauthorized modification. Validate configured paths to ensure they are within an allowed, sandboxed directory. Avoid searching for configuration files in potentially untrusted locations like the current working directory. | LLM | state_manager.py:154 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/c0nspic0us7urk3r/smart-router/executor.py:294 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/c0nspic0us7urk3r/smart-router/router_gateway.py:9 | |
| MEDIUM | Potential Data Exfiltration via Logging of User Input Multiple files (`context_guard.py`, `executor.py`, `router_gateway.py`, `router_hook.py`) log information that can include parts of the user's message or derived metadata. While `state_manager.py`'s `RoutingLogEntry` does not explicitly store the full message, other logging statements (`logger.info`, `logger.warning`) could inadvertently capture and persist sensitive user input or parts of it (e.g., in the `reason` field of a log entry or general debug logs). This creates a risk of sensitive data being exfiltrated through log files if not properly redacted or secured. Implement a strict logging policy that redacts or sanitizes all potentially sensitive user input before it is written to logs. Avoid logging raw user messages or any derived content that might contain PII or credentials. Use structured logging with explicit fields for non-sensitive data, and ensure log files are secured with appropriate access controls. | LLM | router_hook.py:130 | |
| LOW | Unpinned tiktoken dependency The `context_guard.py` and `router_gateway.py` files attempt to import `tiktoken` without specifying a version in the manifest or a `requirements.txt` file. While the code gracefully handles `ImportError` by falling back to a heuristic, relying on an unpinned external dependency can lead to supply chain risks. An update to `tiktoken` could introduce breaking changes, performance regressions, or even vulnerabilities if a malicious version were to be installed, potentially affecting the skill's behavior or security posture. Specify exact versions for all external dependencies, including `tiktoken`, in a `requirements.txt` file or the skill's manifest. This ensures deterministic builds and reduces the risk of unexpected behavior or vulnerabilities introduced by unvetted dependency updates. Regularly audit and update dependencies to address known security issues. | LLM | context_guard.py:49 |
Scan History
Embed Code
[](https://skillshield.io/report/0cee8420d863b282)
Powered by SkillShield