Trust Assessment
wacli received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Potential Command Injection via User Input, Data Exfiltration via Arbitrary File Sending, Broad Access to Sensitive User Data and System Files.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via User Input The skill exposes direct command-line execution of `wacli` with arguments that can be derived from user input (e.g., `--query`, `--message`, `--file`, `--caption`). If the LLM directly interpolates untrusted user input into these command arguments without proper sanitization or escaping, a malicious user could inject arbitrary shell commands, leading to remote code execution or other system compromise. The LLM must be strictly instructed to sanitize all user-provided arguments before constructing and executing shell commands. This typically involves robust shell escaping or using a command execution mechanism that handles arguments as a list rather than a single string. | LLM | SKILL.md:20 | |
| HIGH | Data Exfiltration via Arbitrary File Sending The `wacli send file` command allows the LLM to send an arbitrary file specified by a path (e.g., `/path/agenda.pdf`). If a malicious user can trick the LLM into providing a sensitive file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, or other user data), this capability could be abused to exfiltrate confidential information from the system where the skill is executed. Implement strict allow-listing for file paths that can be sent, or require explicit, multi-factor user confirmation for sending files from sensitive directories (e.g., system directories, user home directories, or temporary folders). The LLM should be instructed to never send files from such locations without explicit approval. | LLM | SKILL.md:30 | |
| MEDIUM | Broad Access to Sensitive User Data and System Files The skill grants broad capabilities including searching and backfilling WhatsApp message history, which contains private communications, and sending arbitrary files from the local filesystem. While these are core functions of the `wacli` tool, exposing them broadly to an LLM without stringent safeguards increases the risk of misuse or accidental data exposure. The 'Safety' guidelines in the skill attempt to mitigate this, but the underlying permissions remain extensive. Implement stricter access controls and user confirmation flows for highly sensitive operations like searching private communication history or sending files. Consider limiting the scope of file access to specific, non-sensitive directories or requiring explicit user consent for each sensitive action. | LLM | SKILL.md:19 | |
| LOW | Unpinned Go Module Dependency The Go module dependency for `wacli` is specified with `@latest` in the manifest. This means the skill will always fetch the most recent version of the tool. While convenient, this practice can introduce supply chain risks, as a new version could potentially introduce breaking changes, unexpected behavior, or even malicious code without explicit review, leading to instability or security vulnerabilities. Pin the Go module dependency to a specific version or commit hash (e.g., `github.com/steipete/wacli/cmd/wacli@v1.2.3` or `@<commit_hash>`) to ensure deterministic builds and prevent unexpected updates. Regularly review and manually update dependencies to newer, vetted versions. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/7b883356510a649f)
Powered by SkillShield