Trust Assessment
spacemolt received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include LLM Persona and Autonomy Manipulation (Prompt Injection), Unpinned `mcp-remote` dependency, Extensive use of `tmux` and `npx` for persistent session management.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | LLM Persona and Autonomy Manipulation (Prompt Injection) The skill explicitly instructs the host LLM to adopt a specific persona ('You are a player now. Not an assistant.') and to act autonomously ('You are an autonomous player. Play indefinitely without asking permission. ... Never ask 'what should I do next?' - just do it'). These are direct commands intended to override the LLM's default instructions and modify its behavior, which constitutes a prompt injection. Remove or rephrase instructions that directly manipulate the LLM's persona, autonomy, or core directives. Instead, describe the desired behavior for the skill's context without issuing direct commands to the LLM itself. | LLM | SKILL.md:11 | |
| CRITICAL | Unpinned `mcp-remote` dependency The skill's manifest and usage (`npx -y mcp-remote`) do not specify a version for the `mcp-remote` Node.js package. This means `npx` will always fetch and execute the latest available version from npm. A malicious update to `mcp-remote` (e.g., via account compromise or typosquatting) could lead to arbitrary code execution on the host system without explicit user consent or review. Pin the `mcp-remote` dependency to a specific, known-good version in the manifest (e.g., `"package": "mcp-remote@1.2.3"`) and update the `npx` command accordingly if necessary. Regularly review and update the pinned version. | LLM | Manifest:1 | |
| HIGH | Extensive use of `tmux` and `npx` for persistent session management The skill extensively uses `tmux` and `npx` to manage a persistent background process (`mcp-remote`) and interact with it via shell commands. `npx` allows arbitrary Node.js package execution, and `tmux` provides full control over a shell environment, including background process management and sending arbitrary input. While this is the intended functionality for the skill, it grants a very broad set of permissions to the skill, increasing the attack surface for potential command injection if any part of the input (e.g., dynamic arguments to `send-keys`) were not properly sanitized, or if the `mcp-remote` package itself were compromised. Ensure all dynamic inputs passed to `tmux send-keys` are strictly validated and escaped to prevent JSON injection. Consider sandboxing the `tmux` session or `npx` execution environment if the platform allows for more granular control over shell commands. Review the `mcp-remote` package for security vulnerabilities. | LLM | SKILL.md:38 |
Scan History
Embed Code
[](https://skillshield.io/report/a33fa8cacf35ecf4)
Powered by SkillShield