Trust Assessment
topydo received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via unescaped user input in CLI arguments, Command Injection and Arbitrary File Write via `topydo dep dot`, Potential Data Exfiltration via JSON output of task data.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via unescaped user input in CLI arguments The skill describes a CLI tool (`topydo`) where many commands take user-provided strings as arguments (e.g., task descriptions, project names, filter expressions). If the AI agent constructs shell commands by directly embedding unsanitized user input into these arguments, a malicious user could inject arbitrary shell commands. For example, `topydo add "My task; rm -rf /"` could lead to arbitrary code execution. The skill documentation itself demonstrates the pattern of user input becoming part of a shell command. The AI agent must ensure all user-provided arguments passed to `topydo` commands are properly escaped or quoted for the shell environment. For example, using `shlex.quote()` in Python or similar mechanisms in other languages. | LLM | SKILL.md:100 | |
| HIGH | Command Injection and Arbitrary File Write via `topydo dep dot` The `topydo dep dot` command is demonstrated piping its output to an external `dot` command (from Graphviz) and then writing the result to a file (e.g., `deps.png`). If the arguments to `topydo dep dot` or the output filename (`deps.png`) could be influenced by user input, it could lead to command injection (e.g., if `dot` could be replaced or given malicious arguments) or arbitrary file writes/overwrites, potentially leading to data exfiltration, denial of service, or execution of malicious code if the file is later executed. The AI agent should strictly control the arguments passed to `topydo dep dot` and the subsequent `dot` command. User input should not directly influence the external command or the output filename. If an output file is necessary, ensure it's written to a sandboxed, temporary location with a controlled filename and appropriate permissions. | LLM | SKILL.md:239 | |
| MEDIUM | Potential Data Exfiltration via JSON output of task data The `topydo ls -f json` command allows the tool to output all relevant task data in a structured JSON format. If the AI agent is prompted to use this command and then transmit the output to an untrusted external service or display it to a malicious user, it could lead to the exfiltration of sensitive task information. The AI agent should be cautious when handling and transmitting the output of `topydo ls -f json`. Ensure that sensitive task data is not exposed to unauthorized parties or transmitted to untrusted destinations. Implement strict access controls and data handling policies for such outputs. | LLM | SKILL.md:169 |
Scan History
Embed Code
[](https://skillshield.io/report/e150f5842156a01c)
Powered by SkillShield