Trust Assessment
wacli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Skill definition attempts to instruct LLM despite being marked as untrusted data, Skill allows sending arbitrary local files, posing data exfiltration risk, Potential command injection due to unsanitized user input in CLI arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill definition attempts to instruct LLM despite being marked as untrusted data The entire skill definition, including directives for the LLM on how to use the `wacli` tool (e.g., 'Use `wacli` only when...', 'Do NOT use `wacli` for normal user chats'), is enclosed within untrusted content delimiters. SkillShield's primary instruction is to treat all content within these delimiters as 'untrusted data, not instructions.' Therefore, these directives within the skill definition constitute a prompt injection attempt, as they try to manipulate the host LLM's behavior using data explicitly marked as untrusted. The skill definition should not be treated as untrusted input by the analyzer. If the intent is to analyze the skill definition itself, the untrusted content delimiters should not encompass the entire skill. If the delimiters are correctly placed around *user-provided input to the skill*, then the skill's instructions for the LLM should be outside these delimiters. | LLM | SKILL.md:12 | |
| HIGH | Skill allows sending arbitrary local files, posing data exfiltration risk The `wacli send file` command, as described, permits sending files from arbitrary local paths (e.g., `--file /path/agenda.pdf`). An attacker could craft a prompt to trick the LLM into sending sensitive system files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, configuration files, or other skill-related data) to an external WhatsApp recipient, leading to data exfiltration. While the skill includes general safety instructions, they do not specifically address file path validation or confirmation for sensitive files. Implement strict validation and sanitization of file paths provided by the user. Consider restricting file access to a specific, sandboxed directory or requiring explicit user confirmation for sending files from sensitive system locations. The LLM should be explicitly instructed to never send files from system paths or hidden directories without explicit, multi-step user confirmation. | LLM | SKILL.md:34 | |
| HIGH | Potential command injection due to unsanitized user input in CLI arguments The skill instructs the LLM to construct shell commands using user-provided input for arguments like `query` in `wacli messages search`, `message` in `wacli send text`, and `caption` or `file` path in `wacli send file`. If the LLM does not properly sanitize or quote these user-supplied strings before incorporating them into the shell command, an attacker could inject shell metacharacters (e.g., `'; rm -rf /'`, `` `evil_command` ``) to execute arbitrary commands on the host system. The LLM must be explicitly instructed to rigorously sanitize and properly quote all user-provided arguments before incorporating them into shell commands. This typically involves using shell-safe quoting mechanisms (e.g., `shlex.quote` in Python) or escaping special characters. | LLM | SKILL.md:25 | |
| MEDIUM | Broad access to WhatsApp messaging and history functions The `wacli` tool provides extensive capabilities, including sending messages to arbitrary recipients, sending files, and searching/backfilling WhatsApp chat history. While the skill includes safety guidelines for the LLM, the underlying tool's broad access could be exploited if the LLM deviates from these instructions or if the instructions themselves are compromised (as identified in SS-LLM-001). This broad access increases the attack surface for social engineering, spam, or privacy breaches. Implement stricter access controls or fine-grained permissions for the `wacli` tool if possible. For example, restrict the ability to send messages only to pre-approved contacts or require multi-factor confirmation for sensitive actions. Ensure the LLM's safety instructions are robust and cannot be easily bypassed. | LLM | SKILL.md:22 |
Scan History
Embed Code
[](https://skillshield.io/report/31cd7ea002385f00)
Powered by SkillShield