Trust Assessment
vector-robot received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 9 critical, 3 high, 1 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Persistence mechanism: macOS LaunchAgent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bogorman/vector-robot/SKILL.md:103 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bogorman/vector-robot/scripts/install-launchagent.sh:7 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bogorman/vector-robot/scripts/install-launchagent.sh:35 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/bogorman/vector-robot/SKILL.md:18 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/bogorman/vector-robot/SKILL.md:89 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/bogorman/vector-robot/scripts/vector-say.sh:6 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/bogorman/vector-robot/scripts/vector-see.sh:6 | |
| CRITICAL | Shell command injection via unescaped user input in vector-say.sh The `vector-say.sh` script uses `python3 -c "import urllib.parse; print(urllib.parse.quote('''$TEXT'''))"` to URL-encode user-provided text. The `$TEXT` variable is directly embedded within single quotes (`'''$TEXT'''`) in the Python command string. A malicious user can inject arbitrary shell commands by providing text containing single quotes, breaking out of the Python string and executing arbitrary code via the `python3 -c` interpreter. For example, input like `'; import os; os.system('rm -rf /'); print('` would lead to critical system compromise. Properly escape or sanitize user input before embedding it into shell commands or interpreter arguments. For Python, use `shlex.quote` if passing to a shell, or pass the argument directly to the Python script using `sys.argv` instead of embedding it in the command string. A safer approach for URL encoding in bash would be to use `jq` or a dedicated URL encoding utility that handles quoting robustly, or pass the text as an argument to a Python script that reads `sys.argv[1]`. | LLM | scripts/vector-say.sh:10 | |
| CRITICAL | Shell command injection via unescaped user input in vector-see.sh The `vector-see.sh` script embeds the user-provided `OUTPUT` path directly into a Python script passed via a heredoc (`python3 << EOF`). The line `with open('$OUTPUT', 'wb') as out:` is vulnerable. If `$OUTPUT` contains a single quote, it can break out of the Python string and inject arbitrary Python code, which will then be executed by the `python3` interpreter. For example, input like `'; import os; os.system('rm -rf /'); print('` would lead to critical system compromise. Properly escape or sanitize user input before embedding it into interpreter scripts. For Python, use `shlex.quote` if passing to a shell, or pass the argument directly to the Python script using `sys.argv` instead of embedding it in the heredoc. Alternatively, ensure the `OUTPUT` variable is strictly validated to be a safe file path. | LLM | scripts/vector-see.sh:15 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/bogorman/vector-robot/SKILL.md:103 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/bogorman/vector-robot/scripts/install-launchagent.sh:7 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/bogorman/vector-robot/scripts/install-launchagent.sh:35 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/bogorman/vector-robot/scripts/install-launchagent.sh:7 | |
| LOW | Broad CORS policy on local proxy server The `proxy-server.js` sets `Access-Control-Allow-Origin: *` for all incoming requests. While this server is intended to run locally on `localhost:11435`, a broad CORS policy like this can be a security risk if the service were ever exposed to the network or if a malicious local application could exploit it. It's generally best practice to restrict CORS to specific origins, even for local services, to prevent potential cross-site request forgery (CSRF) or other attacks if the context changes. Restrict `Access-Control-Allow-Origin` to `http://localhost:8080` (wire-pod's default origin) or other specific origins if known, instead of `*`. | LLM | scripts/proxy-server.js:14 |
Scan History
Embed Code
[](https://skillshield.io/report/e00bb6eedf6732ef)
Powered by SkillShield