Trust Assessment
trust-protocol received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 6 critical, 8 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Missing required field: name, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/felmonon/trust-protocol/atp.py:298 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/felmonon/trust-protocol/demo.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/felmonon/trust-protocol/moltbook_trust.py:40 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/felmonon/trust-protocol/moltbook_trust.py:97 | |
| CRITICAL | Command Injection via `shell=True` with user input The `_run_command` function in `atp.py` executes commands using `subprocess.run(..., shell=True)`. This is highly dangerous when the command string (`cmd`) is constructed using unsanitized user-controlled input. Several functions, including `_sign_challenge`, `_verify_challenge`, `_get_agent_fingerprint`, and `_get_agent_pubkey_path`, pass user-controlled data (e.g., file paths, agent names) into commands executed by `_run_command`. An attacker can inject arbitrary shell commands by crafting malicious input for agent names, challenge files, or response files. Avoid `shell=True` when executing external commands with user-controlled input. Instead, pass commands and arguments as a list to `subprocess.run()`. If `shell=True` is strictly necessary, ensure all user-controlled input is rigorously sanitized and escaped to prevent shell metacharacter interpretation. For file paths, use `shlex.quote()`. | LLM | atp.py:370 | |
| CRITICAL | Command Injection in `moltbook_trust.py` via `shell=True` The `moltbook_trust.py` script uses `subprocess.run(..., shell=True)` in its `atp_cmd` and `cmd_scan_post` functions. User-controlled inputs such as `username`, `domain`, and `post_id` are directly interpolated into shell commands. Specifically, `cmd_scan_post` executes `moltbook.py post {post_id}` where `post_id` comes directly from `sys.argv`. This allows an attacker to inject arbitrary shell commands by providing a malicious `post_id` or other arguments. Avoid `shell=True` when executing external commands with user-controlled input. Pass commands and arguments as a list to `subprocess.run()`. Ensure all user-controlled input is rigorously sanitized and escaped to prevent shell metacharacter interpretation. For file paths, use `shlex.quote()`. | LLM | moltbook_trust.py:40 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'respond_to_challenge'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/felmonon/trust-protocol/atp.py:298 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/felmonon/trust-protocol/demo.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'atp_cmd'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/felmonon/trust-protocol/moltbook_trust.py:40 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'cmd_scan_post'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/felmonon/trust-protocol/moltbook_trust.py:97 | |
| HIGH | Direct source dependency in package.json Dependency 'skillsign' uses non-registry source 'https://github.com/FELMONON/skillsign', which increases supply-chain risk. Prefer vetted registry releases pinned to exact versions. | Dependencies | skills/felmonon/trust-protocol/package.json | |
| HIGH | Potential Data Exfiltration via Command Injection The identified command injection vulnerabilities in `atp.py` and `moltbook_trust.py` (SS-CMD-001) allow an attacker to execute arbitrary shell commands. This capability can be leveraged to read and exfiltrate sensitive data from the system, including configuration files, user data, or any files accessible by the process running the skill. Private keys stored in `SKILLSIGN_DIR` are particularly at risk. Mitigate the underlying command injection vulnerabilities by removing `shell=True` and properly sanitizing all user-controlled inputs. Implement strict access controls and principle of least privilege for the skill's execution environment. | LLM | atp.py:370 | |
| HIGH | Credential Harvesting via Command Injection The `atp.py` skill interacts with `skillsign` to manage cryptographic keys, including private keys stored in `SKILLSIGN_DIR`. The command injection vulnerabilities (SS-CMD-001) allow an attacker to execute arbitrary commands, which could be used to read and exfiltrate these private keys. Compromise of private keys would allow an attacker to impersonate agents and sign malicious content. Address the command injection vulnerabilities by avoiding `shell=True` and sanitizing user inputs. Additionally, consider storing sensitive credentials like private keys in more secure, hardware-backed stores or encrypted vaults, rather than plain files accessible to the skill process. | LLM | atp.py:420 | |
| HIGH | Unpinned Dependency in `package.json` The `package.json` file specifies a dependency on `skillsign` using a direct GitHub URL (`https://github.com/FELMONON/skillsign`). This dependency is unpinned, meaning it does not specify a particular version, commit hash, or tag. If the content at this URL changes (e.g., due to a compromise of the `skillsign` repository), the skill could unknowingly pull in malicious code, leading to a supply chain attack. Pin the `skillsign` dependency to a specific version, commit hash, or tag. For example, `"skillsign": "https://github.com/FELMONON/skillsign#v1.0.0"` or `"skillsign": "https://github.com/FELMONON/skillsign#<commit_hash>"`. Regularly review and update pinned dependencies. | LLM | package.json:20 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/felmonon/trust-protocol/SKILL.md:1 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/felmonon/trust-protocol/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/041813ff43d350c4)
Powered by SkillShield