Trust Assessment
tiered-memory received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 23 findings: 2 critical, 7 high, 14 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Suspicious import: urllib.request.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings23
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bowen31337/tiered-memory/scripts/memory_cli.py:876 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bowen31337/tiered-memory/scripts/metrics_tracker.py:33 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bowen31337/tiered-memory/scripts/memory_cli.py:735 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'retrieve'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/bowen31337/tiered-memory/scripts/memory_cli.py:876 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_memory_stats'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/bowen31337/tiered-memory/scripts/metrics_tracker.py:33 | |
| HIGH | Potential data exfiltration: file read + network send Function 'search_llm' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/bowen31337/tiered-memory/scripts/tree_search.py:168 | |
| HIGH | LLM Prompt Injection via User Input The skill constructs LLM prompts by directly embedding user-controlled input (`query` for `tree_search.py` and `text` for `distiller.py`) without proper sanitization or escaping. An attacker could craft malicious input to manipulate the behavior of the underlying LLM, leading to unintended actions, information disclosure, or denial of service. Implement robust input sanitization and escaping for all user-controlled data before it is incorporated into LLM prompts. Consider using structured prompting techniques or dedicated LLM input sanitization libraries. For `distiller.py`, ensure the LLM prompt construction (if `--mode llm` is used) also sanitizes the input `text`. | LLM | scripts/tree_search.py:115 | |
| HIGH | Sensitive Credentials Exposed in Process Arguments The skill passes sensitive credentials (`$TURSO_URL`, `$TURSO_TOKEN`) directly as command-line arguments to `memory_cli.py` in the integration examples. These arguments are visible in system process listings (e.g., `ps aux`) to any user on the system, leading to unauthorized access to the Turso database. Do not pass sensitive credentials as command-line arguments. Instead, rely solely on environment variables (which `memory_cli.py` already reads via `os.getenv` in some contexts) or secure configuration files with restricted permissions. If environment variables are used, ensure they are not inadvertently logged or exposed. | LLM | SKILL.md:400 | |
| HIGH | Arbitrary File Access via Path Traversal in `agent_id` The `memory_cli.py` script constructs file paths using an `agent_id` parameter, which can be controlled by user input. The `get_agent_paths` function uses `os.path.join(MEMORY_DIR, agent_id)`. If `agent_id` contains path traversal sequences (e.g., `../`), an attacker could read, write, or overwrite arbitrary files outside the intended agent-specific directory, potentially leading to data exfiltration, data tampering, or denial of service. The `WORKSPACE` variable is also broadly defined, increasing the potential impact. Sanitize the `agent_id` input to prevent path traversal. Ensure `agent_id` only contains alphanumeric characters and is validated against a whitelist or a strict regex. Alternatively, use a UUID or hash for agent directories to prevent predictable path construction. Additionally, restrict the `WORKSPACE` environment variable to the minimum necessary scope. | LLM | scripts/memory_cli.py:70 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bowen31337/tiered-memory/scripts/distiller.py:8 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bowen31337/tiered-memory/scripts/memory_cli.py:17 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bowen31337/tiered-memory/scripts/memory_cli.py:162 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bowen31337/tiered-memory/scripts/memory_cli.py:727 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bowen31337/tiered-memory/scripts/tree_search.py:8 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bowen31337/tiered-memory/scripts/tree_search.py:60 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/bowen31337/tiered-memory/scripts/distiller.py:248 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/bowen31337/tiered-memory/scripts/memory_cli.py:628 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/bowen31337/tiered-memory/scripts/memory_cli.py:672 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/bowen31337/tiered-memory/scripts/memory_cli.py:729 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/bowen31337/tiered-memory/scripts/memory_cli.py:776 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/bowen31337/tiered-memory/scripts/tree_search.py:162 | |
| MEDIUM | Potential Command Injection via `subprocess.run` Arguments The skill uses `subprocess.run` to execute `memory_cli.py` with arguments derived from untrusted user input (`user_message`, `agent_response`). While `subprocess.run` with a list of arguments is generally safer than a shell string, if `memory_cli.py` itself does not properly sanitize or validate its arguments (e.g., `--text`, `--query`, `--category`, `--agent-id`), an attacker could craft input that exploits vulnerabilities within `memory_cli.py` (such as the identified path traversal in `agent_id`). Ensure all arguments passed to `subprocess.run` that originate from untrusted sources are thoroughly sanitized and validated by the called script (`memory_cli.py`). Specifically, address the path traversal vulnerability in `agent_id` and potential issues with `--text`, `--query`, and `--category` if they are not treated as literal strings by `memory_cli.py`. Consider using direct Python function calls instead of `subprocess.run` for internal skill components to avoid the overhead and potential risks of inter-process communication. | LLM | SKILL.md:650 | |
| MEDIUM | Broad File System Access via `WORKSPACE` Variable The `WORKSPACE` environment variable, if not explicitly set, defaults to a path four levels up from the script's location (`os.path.dirname(os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))`). This typically resolves to the repository root or a higher-level directory, granting the skill broad read/write access to a large portion of the file system. While not a direct exploit, this excessive permission increases the attack surface and potential impact of other vulnerabilities like path traversal. Restrict the `WORKSPACE` variable to the absolute minimum necessary directory for the skill's operation. Ideally, skills should operate within their own sandboxed directories or have their file system access explicitly limited by the execution environment. | LLM | scripts/memory_cli.py:63 |
Scan History
Embed Code
[](https://skillshield.io/report/06671bfaa3f49f11)
Powered by SkillShield