Trust Assessment
uptime-kuma received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unpinned Python dependency in skill setup, Command Injection vulnerability in example shell workflow.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Python dependency in skill setup The skill's setup instructions and script specify the `uptime-kuma-api` Python package as a dependency without pinning it to a specific version. This allows `pip install` to fetch the latest version available. If a future version of this package is compromised or introduces malicious code, the skill would automatically incorporate it, leading to a supply chain attack. This is a common and critical vulnerability. Pin the `uptime-kuma-api` dependency to a specific, known-good version (e.g., `pip install uptime-kuma-api==X.Y.Z`) and consider using a `requirements.txt` file with hashes for integrity verification. | LLM | SKILL.md:10 | |
| HIGH | Command Injection vulnerability in example shell workflow The `SKILL.md` provides a 'Maintenance mode' example workflow that uses a `for` loop with command substitution: `for id in $(python scripts/kuma.py list --json | jq -r '.[].id'); do ...`. If the `id` field returned by `scripts/kuma.py list --json` (which originates from the Uptime Kuma API) contains shell metacharacters (e.g., `1; rm -rf /`), these characters will be expanded and executed by the shell. This allows for arbitrary command injection if a malicious Uptime Kuma server or a compromised `uptime-kuma-api` library can control the `id` values. To prevent command injection, sanitize or validate the `id` values before using them in shell commands. Prefer safer shell constructs like `xargs -I {}` or `while read -r id; do ...` for iterating over potentially untrusted strings. Alternatively, ensure that the `uptime-kuma-api` library and the Uptime Kuma server strictly enforce integer IDs, or properly escape any string IDs before outputting them. | LLM | SKILL.md:70 |
Scan History
Embed Code
[](https://skillshield.io/report/a6dba125e3b162c3)
Powered by SkillShield