Trust Assessment
supernote received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 10 critical, 4 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/nickian/supernote-cloud/SKILL.md:9 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/nickian/supernote-cloud/scripts/supernote.sh:6 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/nickian/supernote-cloud/scripts/article2ebook.py:234 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/nickian/supernote-cloud/scripts/article2ebook.py:253 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/nickian/supernote-cloud/scripts/supernote.sh:68 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/nickian/supernote-cloud/scripts/supernote.sh:88 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/nickian/supernote-cloud/scripts/supernote.sh:314 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/nickian/supernote-cloud/scripts/supernote.sh:334 | |
| CRITICAL | Unsanitized environment variable in `python3 -c` command The `SUPERNOTE_PASSWORD` environment variable is directly interpolated into a Python script executed via `python3 -c`. If `SUPERNOTE_PASSWORD` contains characters that break out of the string literal (e.g., a single quote followed by malicious Python code), it could lead to arbitrary command execution within the Python interpreter. This allows a malicious deployer to execute arbitrary code on the system where the skill is run. Escape `$SUPERNOTE_PASSWORD` using `shlex.quote()` before interpolating it into the Python script string, or pass it as a separate argument to a Python script file (e.g., using `sys.argv`) instead of embedding it directly in a `python3 -c` command. | LLM | scripts/supernote.sh:90 | |
| CRITICAL | Unsanitized external API response in `python3 -c` command (Supply Chain Risk) The `$RANDOM_CODE` variable, which is obtained from an external Supernote API response, is directly interpolated into a Python script executed via `python3 -c`. If the external API is compromised or malicious, it could return a `randomCode` value containing characters that break out of the string literal (e.g., a single quote followed by malicious Python code). This would lead to arbitrary command execution within the Python interpreter, representing a significant supply chain risk. Escape `$RANDOM_CODE` using `shlex.quote()` before interpolating it into the Python script string, or pass it as a separate argument to a Python script file (e.g., using `sys.argv`). Implement strict validation of all external inputs before using them in command execution contexts. Consider isolating network requests to external services. | LLM | scripts/supernote.sh:91 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'to_pdf'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/nickian/supernote-cloud/scripts/article2ebook.py:234 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'to_pdf'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/nickian/supernote-cloud/scripts/article2ebook.py:253 | |
| HIGH | Arbitrary local file upload leading to data exfiltration The `upload` command in `supernote.sh` allows a user to specify an arbitrary local file path via the `--file` argument. The skill then uses `curl` to read and upload the content of this specified file to the Supernote cloud. This functionality can be abused by a malicious user to exfiltrate sensitive files from the system where the skill is executed (e.g., `/etc/passwd`, SSH keys, configuration files, or other private data accessible to the skill's process). Implement strict validation and sanitization of the `--file` argument. Restrict file uploads to specific, non-sensitive directories or file types. If possible, require explicit user confirmation for file uploads or use a sandboxed environment with limited filesystem access. | LLM | scripts/supernote.sh:270 | |
| HIGH | Server-Side Request Forgery (SSRF) via user-controlled URL The `send-article` command in `supernote.sh` takes a user-provided URL via the `--url` argument. This URL is then passed directly to `article2ebook.py`, which uses `requests.get()` to fetch its content. This allows a malicious user to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing internal network resources, scanning ports, or interacting with services not intended to be publicly exposed from the skill's execution environment. This can lead to information disclosure or further attacks. Implement strict URL validation (e.g., whitelist allowed domains/schemes, block private IP ranges, disallow `file://` or other local schemes) before fetching content from user-provided URLs. Consider using a dedicated proxy or service for fetching external content to isolate the skill's network environment. | LLM | scripts/article2ebook.py:26 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/nickian/supernote-cloud/scripts/article2ebook.py:20 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/nickian/supernote-cloud/scripts/supernote.sh:133 |
Scan History
Embed Code
[](https://skillshield.io/report/5905e48a03be0b2b)
Powered by SkillShield