Trust Assessment
wilma received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unsanitized argument passing in shell wrapper, Unpinned npm dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsanitized argument passing in shell wrapper The `scripts/wilma-cli.sh` wrapper script directly passes all arguments (`"$@"`) received from its invocation to external commands (`wilma`, `wilmai`, or `node ...`). This creates a critical command injection vulnerability. A malicious prompt could instruct the LLM to include shell metacharacters (e.g., `;`, `|`, `&`, `$(...)`) within the arguments, leading to arbitrary command execution on the host system. For example, an argument like `--student "foo; rm -rf /"` could be executed by the shell before the `wilma` command even processes it. Arguments passed to external commands from an LLM should always be sanitized or validated. If the `wilma` CLI itself is robust against shell injection (e.g., by using `exec` with an array of arguments in Node.js, or by carefully parsing arguments), then the wrapper script should ensure that the arguments are passed in a way that prevents shell interpretation. A common approach is to rewrite the wrapper in a more robust scripting language (e.g., Python, Node.js) using `subprocess.run` or `child_process.spawn` with an array of arguments, or to carefully quote and escape arguments if staying in bash, though the latter is prone to errors. For example, if the `wilma` command expects specific flags, the wrapper could parse and validate those flags before passing them. | LLM | scripts/wilma-cli.sh:8 | |
| HIGH | Unpinned npm dependency The skill's installation instructions recommend installing `@wilm-ai/wilma-cli` globally using `npm i -g @wilm-ai/wilma-cli`. This command does not specify a version, meaning `npm` will always install the `latest` available version. This introduces a supply chain risk as a future malicious or buggy update to the package could be automatically installed, potentially compromising the system or skill functionality without explicit user consent or review. Pin the dependency to a specific version (e.g., `npm i -g @wilm-ai/wilma-cli@1.1.0`) or a version range (e.g., `^1.1.0`) to ensure predictable and secure installations. Regularly review and update pinned versions. | LLM | SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/989b0039dbc62835)
Powered by SkillShield