Trust Assessment
warren-deploy received a trust score of 15/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/planetai87/warren-deploy/SKILL.md:121 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/planetai87/warren-deploy/SKILL.md:121 | |
| HIGH | Arbitrary File Read via --file Argument The `deploy.js` script uses `fs.readFileSync(argv.file, 'utf8')` to read content from a file specified by the `--file` command-line argument. If an attacker can manipulate this argument (e.g., through prompt injection into the LLM that invokes the skill), they could instruct the skill to read arbitrary files from the system, potentially leading to data exfiltration of sensitive information like `/etc/passwd`, configuration files, or other local data. Implement strict validation and sanitization of the `--file` argument to ensure it only points to files within an expected, sandboxed directory. Alternatively, restrict the LLM's ability to provide arbitrary file paths for this argument, or use a file picker mechanism. | LLM | deploy.js:109 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/planetai87/warren-deploy/deploy.js:109 | |
| MEDIUM | Unpinned Dependency in setup.sh The `setup.sh` script installs the `ethers` package using `npm install ethers` without specifying a version. This means it will always fetch the latest available version. While `ethers` is a widely used and trusted library, relying on the latest version without pinning can introduce unexpected breaking changes, compatibility issues, or, in a worst-case scenario, pull a compromised version if the npm registry or the package itself is maliciously updated. Pin the `ethers` dependency to a specific, known-good version (e.g., `npm install ethers@6.11.1`) to ensure deterministic builds and reduce the risk of unexpected changes or supply chain attacks. | LLM | setup.sh:6 | |
| INFO | Handling of Private Keys The skill explicitly instructs the user to set a `PRIVATE_KEY` environment variable or pass it as a command-line argument, which is then used by `deploy.js` to sign blockchain transactions. While the `deploy.js` script itself does not appear to exfiltrate the private key, its presence in the environment or as an argument makes it a highly sensitive credential. The LLM runtime and any surrounding infrastructure must ensure robust security measures to prevent logging, exposure, or unauthorized access to this private key. Ensure the LLM runtime environment securely manages and isolates sensitive credentials. Implement strict logging policies to prevent private keys from being recorded. Consider using more secure credential management systems (e.g., secrets managers) if available in the execution environment, rather than direct environment variables. | LLM | SKILL.md:34 |
Scan History
Embed Code
[](https://skillshield.io/report/24fefb325029fd6a)
Powered by SkillShield