Trust Assessment
tessie received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $HOME, API key vulnerable to exfiltration via environment variable override.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | API key vulnerable to exfiltration via environment variable override The `TESSIE_API_URL` variable is initialized from an environment variable if present (`TESSIE_API_URL="${TESSIE_API_URL:-https://api.tessie.com}"`). If an attacker can control the environment where this script runs, they can set `TESSIE_API_URL` to a malicious server. Since the `TESSIE_API_KEY` is included in the `Authorization` header for all API requests made by `api_request`, this would lead to the exfiltration of the API key to the attacker's controlled server. While this pattern is sometimes used for testing, it poses a significant security risk if the execution environment is not strictly controlled. Restrict the ability to override `TESSIE_API_URL` via environment variables if not strictly necessary. If overriding is required, implement robust validation to ensure the URL points to a trusted Tessie domain before including the `Authorization` header, or ensure the execution environment is highly secure and isolated. | LLM | tessie.sh:7 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/baanish/tessie/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/baanish/tessie/tessie.sh:14 | |
| MEDIUM | Denial of Service for 'drives' command due to missing function and incorrect argument parsing The `drives` command functionality is broken and will cause the script to exit prematurely. This is due to two issues:
1. **Incorrect Argument Assignment**: The `LIMIT` variable is assigned the script's first argument (the command name, e.g., 'drives') instead of the intended second argument (the numeric limit).
2. **Missing Validation Function**: The script attempts to call an undefined function `validate_number` on line 144 to validate this `LIMIT` variable.
Because `set -e` is enabled, the script will exit immediately when it tries to execute the non-existent `validate_number` function, leading to a Denial of Service for anyone attempting to use the `drives` command. Correctly assign the `LIMIT` variable from the second argument (`LIMIT="${2:-5}"`). Additionally, define the `validate_number` function to properly validate that the input is a numeric value within expected bounds before it is used in the API request. | LLM | tessie.sh:144 |
Scan History
Embed Code
[](https://skillshield.io/report/66b25652b92968af)
Powered by SkillShield