Trust Assessment
supercall received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 4 critical, 2 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/xonder/supercall/index.ts:298 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/xonder/supercall/src/tunnel.ts:234 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/xonder/supercall/src/webhook.ts:424 | |
| CRITICAL | Prompt Injection via Persona and Goal Parameters The `buildPersonaPrompt` function directly interpolates user-controlled `persona` and `goal` strings into the AI's system prompt without sanitization. These parameters are provided by the user when calling the `supercall` tool. A malicious user can craft these inputs to include instructions that override the LLM's directives, manipulate its behavior, bypass safety mechanisms, or attempt to extract sensitive information. The `openingLine` parameter also poses a similar risk. Implement robust input validation and sanitization for `persona`, `goal`, and `openingLine` parameters before they are used in the AI's prompt. Consider using a dedicated prompt templating library that enforces strict separation between instructions and user-provided data, or escape/filter potentially malicious characters. Additionally, ensure the LLM's safety mechanisms are configured to detect and mitigate prompt injection attempts. | LLM | index.ts:20 | |
| HIGH | Command Injection via ngrok Custom Domain The `startNgrokTunnel` function uses `child_process.spawn` to execute the `ngrok` command. The `config.domain` parameter, which is a user-configurable string (`config.tunnel.ngrokDomain`), is directly appended to the `ngrok` command arguments: `args.push("--domain", config.domain);`. If a malicious user provides a `config.tunnel.ngrokDomain` value containing shell metacharacters (e.g., `example.com; rm -rf /`), it could lead to arbitrary command execution on the host system. Although `spawn` with an array of arguments typically prevents shell interpretation, `ngrok` itself might process the domain argument in a way that allows for injection if it's not properly sanitized by the application. Sanitize or validate the `config.tunnel.ngrokDomain` input to ensure it only contains valid domain characters and does not include any shell metacharacters. Alternatively, if `ngrok` provides a safer API for setting the domain, use that instead of direct command-line argument interpolation. Consider using a whitelist approach for allowed domain characters. | LLM | src/tunnel.ts:80 | |
| HIGH | SSRF and Credential Exfiltration via Public Webhook URL The `ensurePublicWebhookReachable` function performs an HTTP `fetch` request to `this.webhookUrl` to verify reachability. This `webhookUrl` is derived from `config.publicUrl`, which is a user-configurable string. The `fetch` request includes a sensitive header: `x-supercall-self-test` containing `this.selfTestSecret`. A malicious actor could configure `config.publicUrl` to point to an internal network address (e.g., `http://192.168.1.100/`) or a cloud metadata endpoint (e.g., `http://169.254.169.254/latest/meta-data/`) to perform Server-Side Request Forgery (SSRF). This could lead to the exfiltration of the `selfTestSecret` to an attacker-controlled server or expose it to an internal service, potentially compromising the system's security. Implement a strict allowlist for `config.publicUrl` to only permit known, trusted external domains, or validate that the URL points to a public, non-internal IP address. Enhance the `isLocal` check to cover a broader range of internal IP address ranges (e.g., RFC1918 private networks). Consider removing the `selfTestSecret` from the `fetch` request if it's not strictly necessary for public webhook reachability testing, or use a separate, non-sensitive token for this purpose. | LLM | src/manager.ts:135 | |
| MEDIUM | Unpinned npm dependency version Dependency '@sinclair/typebox' is not pinned to an exact version ('^0.34.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/xonder/supercall/package.json | |
| MEDIUM | Path Traversal via Configured Store Path The `CallManager` constructor uses `resolveUserPath` to determine the `storePath` for call logs. The `rawPath` can be derived from `config.store`, which is a user-configurable string in the plugin's configuration. The `resolveUserPath` function, which uses `path.resolve`, does not adequately sanitize inputs containing path traversal sequences (e.g., `../../`). A malicious user could set `config.store` to a value like `../../../../tmp/evil_logs` to write call logs to arbitrary locations on the filesystem, potentially overwriting critical files, filling up sensitive directories, or creating files in unexpected locations. Implement strict validation for the `config.store` path to ensure it is within an allowed base directory and does not contain path traversal sequences (e.g., `..`, `/`). Consider using a library that specifically handles secure path resolution or enforce that the path must be absolute and within a designated, sandboxed directory. Alternatively, disallow user-defined paths and only permit relative paths within the skill's own data directory. | LLM | src/manager.ts:60 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/xonder/supercall/package.json | |
| INFO | Reduced Security Posture with ngrok Free Tier Compatibility The `verifyTwilioWebhook` function includes an `allowNgrokFreeTier` option, which defaults to `true` in the configuration. When this option is enabled, the skill will proceed to process Twilio webhooks even if the signature validation fails, provided the webhook URL is identified as an ngrok free tier URL. This is a conscious trade-off for compatibility with ngrok's free service, but it significantly weakens the integrity checks for incoming webhook events. Malicious actors could potentially tamper with webhook payloads from ngrok free tier URLs, leading to unauthorized actions or data manipulation within the skill. Advise users that enabling `allowNgrokFreeTier` reduces security and should be avoided in production environments. Recommend using paid ngrok plans or other tunneling solutions that maintain webhook signature integrity. Provide clear documentation on the security implications of this setting. If possible, offer a more secure alternative for free tier users, such as a custom proxy that re-signs webhooks. | LLM | src/webhook-security.ts:150 |
Scan History
Embed Code
[](https://skillshield.io/report/7193ecdeb993be7d)
Powered by SkillShield