Trust Assessment
wacli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Untrusted instructions to LLM, Unpinned Go module dependency, Capability to send arbitrary local files.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted instructions to LLM The entire `SKILL.md` content, which contains instructions for the LLM on how to use the `wacli` tool (e.g., 'Use `wacli` only when...', 'Do NOT use `wacli` for normal user chats;'), is marked as untrusted input. This constitutes a prompt injection attempt, as an attacker could modify these instructions to manipulate the LLM's behavior and decision-making process. Move all instructions intended for the host LLM outside the untrusted input delimiters. Only content that is truly user-provided or external data should be within the untrusted block. | LLM | SKILL.md:4 | |
| HIGH | Unpinned Go module dependency The `go` installation method specified in the manifest uses `github.com/steipete/wacli/cmd/wacli@latest`. Using `@latest` means the dependency is not pinned to a specific version, making the skill vulnerable to supply chain attacks if the upstream repository is compromised or introduces breaking/malicious changes without warning. Pin the Go module dependency to a specific version or commit hash (e.g., `@v1.2.3` or `@<commit_hash>`) to ensure deterministic builds and prevent unexpected changes. | LLM | SKILL.md | |
| HIGH | Capability to send arbitrary local files The `wacli send file` command allows the agent to send any file from its local filesystem (`--file /path/agenda.pdf`). If the file path argument can be influenced by untrusted user input, this presents a critical data exfiltration risk, allowing an attacker to exfiltrate sensitive files from the agent's environment. Even without direct user control, the inherent capability to access and transmit arbitrary local files is an excessive permission for an AI agent skill. Implement strict controls over file access. Restrict the agent's ability to specify arbitrary file paths, enforce allow-listing for file types and locations, and require explicit user confirmation for each file transmission. | LLM | SKILL.md:30 | |
| MEDIUM | Potential for shell command injection via arguments The `wacli` commands shown in the skill documentation accept various string arguments (e.g., `--message`, `--query`, `--file`, `--caption`). If these arguments are constructed directly from untrusted user input without proper shell escaping or sanitization, an attacker could inject malicious shell commands (e.g., `'; rm -rf /'`) that would be executed by the underlying system. While the `SKILL.md` itself doesn't perform the injection, it exposes the vulnerable command interface. Ensure all arguments passed to `wacli` commands that originate from untrusted input are rigorously shell-escaped or validated against a strict allow-list of characters/patterns before execution. Use libraries or functions designed for safe command execution. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/15b014653255bd37)
Powered by SkillShield