Trust Assessment
tencent-ima-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 1 critical, 3 high, 3 medium, and 2 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/hyddd/tencent-ima-skill/scripts/ima.py:74 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/hyddd/tencent-ima-skill/scripts/ima.py:193 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'launch_app'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/hyddd/tencent-ima-skill/scripts/ima.py:74 | |
| HIGH | Command Injection via Unsanitized Skill Arguments The skill's implementation in SKILL.md constructs a shell command by directly interpolating user-provided parameters (`query`) into a string. If the `query` contains shell metacharacters (e.g., `" --evil-arg`), it can break out of the quoted string and inject arbitrary arguments or commands into the `python3` invocation. Although the Python script uses `argparse`, the initial shell invocation is vulnerable. Modify the skill invocation to pass arguments as a list to `subprocess.Popen` or ensure robust shell escaping for all user-provided parameters. For example, use `shlex.quote()` if constructing a shell command string, or ideally, pass arguments directly to the Python interpreter without an intermediate shell. | LLM | SKILL.md:19 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/hyddd/tencent-ima-skill/SKILL.md:1 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/hyddd/tencent-ima-skill/scripts/ima.py:7 | |
| MEDIUM | Information Leak: Full Query Printed to Stderr The script prints the full user search query, including any potentially sensitive information, to `sys.stderr` during the navigation process. While `stderr` is not `stdout`, it is often logged and could expose private user data. Avoid printing sensitive user input like the full query to `sys.stderr`. If debugging is necessary, consider redacting parts of the query or using a dedicated logging mechanism that can be disabled in production. | LLM | scripts/ima.py:105 | |
| LOW | Information Leak: Partial Knowledge ID Printed to Stderr The script prints the first four characters of the `knowledge_id` to `sys.stderr` when injecting it. Although truncated, this still confirms the ID's usage and reveals a portion of it, which could be a minor information leak if the ID is considered sensitive. Avoid printing any part of potentially sensitive identifiers like `knowledge_id` to `sys.stderr`. If logging is required, ensure it's done securely and only when necessary, without exposing even partial credentials. | LLM | scripts/ima.py:96 | |
| LOW | Unpinned Third-Party Dependency The skill imports the `websocket` library, but there is no visible `requirements.txt` or similar mechanism in the provided context to pin its version. This makes the skill vulnerable to supply chain attacks if a malicious version of `websocket-client` is published to PyPI, as an unpinned dependency could automatically update to it. Add a `requirements.txt` file to the skill package, explicitly pinning all third-party dependencies to specific, known-good versions (e.g., `websocket-client==1.6.6`). Ensure that the skill's deployment process installs dependencies from this pinned file. | LLM | scripts/ima.py:26 |
Scan History
Embed Code
[](https://skillshield.io/report/d33e1bf456df88c5)
Powered by SkillShield