Trust Assessment
supermarkt-prijzen received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 34 findings: 9 critical, 17 high, 7 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Potential data exfiltration: file read + network send.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings34
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/auto-fetch-cookies.sh:10 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/auto-fetch-cookies.sh:25 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/ah-recipes.py:61 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/debug-api.py:16 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/find-search-query.py:46 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/introspect.py:27 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/list-queries.py:23 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/cgnl/supermarkt-prijzen/ah-recipes.py:25 | |
| CRITICAL | Prompt Injection via User-Provided LLM Input The `smart-cook.sh` script explicitly instructs the user to provide input that will be used as a prompt to the host LLM. The instruction `image --image $FRIDGE_IMAGE --prompt 'List all visible food items as comma-separated list'` is a direct prompt injection vector. An attacker (or malicious user) can craft arbitrary instructions within the 'List all visible food items...' part, potentially manipulating the host LLM's behavior or extracting sensitive information from its context. Avoid constructing LLM prompts directly from untrusted user input. If user input is necessary, sanitize it rigorously or use a structured input mechanism that prevents arbitrary instruction injection. Consider using a dedicated tool call for image analysis that returns structured data instead of relying on LLM prompt generation. | LLM | smart-cook.sh:30 | |
| HIGH | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/test-allerhande-introspection.py:26 | |
| HIGH | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/test-bonuses-anonymous.py:29 | |
| HIGH | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/test-full-search.py:28 | |
| HIGH | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/test-product-search-graphql.py:41 | |
| HIGH | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/test-products-graphql2.py:33 | |
| HIGH | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/test-real-search.py:33 | |
| HIGH | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cgnl/supermarkt-prijzen/test-search-full.py:28 | |
| HIGH | Potential data exfiltration: file read + network send Function 'authorize' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/cgnl/supermarkt-prijzen/ah-mobile-auth.py:89 | |
| HIGH | Potential data exfiltration: file read + network send Function 'refresh_token' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/cgnl/supermarkt-prijzen/ah-mobile-auth.py:138 | |
| HIGH | Potential data exfiltration: file read + network send Function 'test_api' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/cgnl/supermarkt-prijzen/ah-mobile-auth.py:150 | |
| HIGH | Potential data exfiltration: file read + network send Function 'introspect' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/cgnl/supermarkt-prijzen/ah-mobile-auth.py:267 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'refresh_cookies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/cgnl/supermarkt-prijzen/ah-recipes.py:25 | |
| HIGH | Potential data exfiltration: file read + network send Function 'get_anonymous_token' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/cgnl/supermarkt-prijzen/get-bonuses-v2.py:72 | |
| HIGH | Potential data exfiltration: file read + network send Function 'get_user_token' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/cgnl/supermarkt-prijzen/get-bonuses-v2.py:112 | |
| HIGH | Potential data exfiltration: file read + network send Function 'refresh_token' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/cgnl/supermarkt-prijzen/get-bonuses-v2.py:156 | |
| HIGH | Hardcoded Sensitive File Path Leading to Data Exfiltration Risk Several Python scripts (`refresh-token.py`, `ah-oauth-api.py`, `exchange-code.py`, `oauth-flow.py`) hardcode the path `/Users/sander/.ah_tokens.json` for reading and writing OAuth tokens. This is a significant bug and a data exfiltration risk. If the skill is executed by a user other than 'sander', it will attempt to access sensitive token files belonging to 'sander', potentially leading to unauthorized access or leakage of another user's credentials. It also prevents the skill from working for other users. Replace hardcoded user paths like `/Users/sander/.ah_tokens.json` with `Path.home() / '.ah_tokens.json'` to ensure the script accesses the current user's home directory. This makes the skill portable and prevents cross-user data access. | LLM | refresh-token.py:8 | |
| HIGH | Credential Harvesting via Safari Cookie Database Access The `extract-cookies.sh` script directly accesses and extracts cookies from Safari's `Cookies.binarycookies` database using `sqlite3`. This is a direct form of credential harvesting, as it reads sensitive session cookies from a system-level file. While the script is intended for self-use, it demonstrates a capability to programmatically extract credentials stored by the browser, which is a high-risk operation. Avoid direct access to browser-managed credential stores. If session cookies are required, prefer using secure, browser-provided APIs or manual user input. If automation is necessary, ensure it operates within a sandboxed environment and has explicit user consent for each access. | LLM | extract-cookies.sh:26 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/cgnl/supermarkt-prijzen/checkjebon-search.py:16 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/cgnl/supermarkt-prijzen/get-bonuses-v2.py:23 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/cgnl/supermarkt-prijzen/test-personal-bonus.py:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/cgnl/supermarkt-prijzen/auto-fetch-cookies.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/cgnl/supermarkt-prijzen/extract-cookies.sh:7 | |
| MEDIUM | Excessive Permissions Required for Cookie Extraction The `extract-cookies.sh` script requires 'Full Disk Access' for the terminal application to read Safari's cookie database. This is a very high privilege that grants the terminal (and any script executed within it) access to all user files, significantly increasing the attack surface if the script or the terminal environment is compromised. Re-evaluate the necessity of extracting cookies directly from the browser's database. If essential, explore less privileged methods or clearly document the security implications and provide alternative, less intrusive authentication methods. | LLM | extract-cookies.sh:30 | |
| MEDIUM | Command Injection Risk via Subprocess Execution of Local Script The `ah-recipes.py` script executes `auto-fetch-cookies.sh` using `subprocess.run([str(refresh_script)], check=True)`. While `auto-fetch-cookies.sh` is part of the same package, any `subprocess.run` call with a dynamically constructed command or path introduces a command injection risk if the script's path or content could be manipulated by an attacker. This could lead to arbitrary code execution. Ensure that the `refresh_script` path is absolutely controlled and not susceptible to manipulation. If possible, refactor the functionality into Python directly to avoid shell execution, or use `shlex.quote` if arguments are passed to the shell. | LLM | ah-recipes.py:24 | |
| LOW | Reliance on External Unverified Data Source (Supply Chain Risk) The `checkjebon-search.py` script downloads supermarket data from `https://raw.githubusercontent.com/supermarkt/checkjebon/main/data/supermarkets.json`. While the URL is hardcoded, relying on external data sources, especially raw files from GitHub, introduces a supply chain risk. If the `supermarkt/checkjebon` repository were compromised, malicious data could be injected into the downloaded JSON, potentially leading to unexpected behavior or further exploits in the skill. Implement integrity checks (e.g., checksum verification) for downloaded data. Consider hosting critical data on a more controlled and verified infrastructure, or pin to specific versions/commits of external data sources. | LLM | checkjebon-search.py:14 |
Scan History
Embed Code
[](https://skillshield.io/report/a59617a39584c43d)
Powered by SkillShield