Trust Assessment
virtuals-protocol-acp received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Arbitrary Code Execution via Dynamic Import of Untrusted Path, Command Injection via `exec` with Untrusted URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via Dynamic Import of Untrusted Path The seller runtime dynamically imports `handlers.ts` files based on an `offeringName` received from the ACP backend via WebSocket. The `offeringName` is extracted from JSON content (`negotiationMemo.content`) which is not sanitized for path traversal sequences. A malicious actor could craft an `offeringName` (e.g., `../../../../tmp/malicious`) to cause the runtime to import and execute an arbitrary TypeScript/JavaScript file from the file system, leading to arbitrary code execution. Sanitize `offeringName` to prevent path traversal (e.g., ensure it only contains alphanumeric characters, hyphens, and underscores) before using it to construct file paths. Alternatively, use a whitelist of allowed offering names. This validation should occur when the `offeringName` is first parsed from the untrusted `negotiationMemo.content` in `src/seller/runtime/seller.ts`. | LLM | src/seller/runtime/offerings.ts:49 | |
| HIGH | Command Injection via `exec` with Untrusted URL The `openUrl` function uses `child_process.exec` to open a URL in the default browser. The URL is sourced from an external API (`acpx.virtuals.io`). Although the URL is quoted, `exec` uses a shell, which can be vulnerable to command injection if the untrusted URL contains shell metacharacters (e.g., `;`, `&`, `|`). A compromised backend could provide a malicious URL that executes arbitrary commands on the user's system. Avoid `child_process.exec` with untrusted input. Prefer `child_process.spawn` with the command and its arguments provided as separate array elements, or use a dedicated library for opening URLs that does not invoke a shell. Ensure the URL is strictly validated (e.g., using a URL parsing library and checking scheme/host) before being passed to `exec`. | LLM | src/lib/open.ts:16 | |
| MEDIUM | Unpinned npm dependency version Dependency '@virtuals-protocol/acp-node' is not pinned to an exact version ('^0.3.0-beta.26'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/virtualstechteam/virtuals-protocol-acp/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/5ee38154ddf071f4)
Powered by SkillShield