Trust Assessment
working-with-lockdownd received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 19 findings: 4 critical, 7 high, 8 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Suspicious import: socket.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings19
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/worflor/working-with-lockdownd/scripts/lockdownd_cli.py:120 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/worflor/working-with-lockdownd/scripts/lockdownd_cli.py:131 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/worflor/working-with-lockdownd/scripts/lockdownd_cli.py:144 | |
| CRITICAL | Extraction of highly sensitive cryptographic keys and device data The skill is designed to extract highly sensitive cryptographic material (Activation Private Keys, Find My Network keys, Escrow Keybags, Host Certificates/Private Keys) and extensive device information (IMEI, SerialNumber, NVRAM contents, etc.) from iOS devices. This data, if compromised, allows for device identity cloning, decryption of location data, and full access to the device. The `extract_secrets.py` and `deep_probe.py` scripts are specifically built for this purpose, and `wifi_lockdown.py` handles the loading of pairing records containing host credentials. This represents both credential harvesting and significant data exfiltration. Implement strict access controls and logging for the use of these capabilities. Ensure that the LLM is explicitly authorized by the user before executing any secret extraction. Consider redacting or encrypting sensitive outputs by default. | LLM | scripts/extract_secrets.py:109 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/worflor/working-with-lockdownd/scripts/os_trace_v2.py:5 | |
| HIGH | Dangerous call: subprocess.call() Call to 'subprocess.call()' detected in function 'cmd_syslog'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/worflor/working-with-lockdownd/scripts/lockdownd_cli.py:120 | |
| HIGH | Dangerous call: subprocess.call() Call to 'subprocess.call()' detected in function 'cmd_trace'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/worflor/working-with-lockdownd/scripts/lockdownd_cli.py:131 | |
| HIGH | Dangerous call: subprocess.call() Call to 'subprocess.call()' detected in function 'cmd_probe'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/worflor/working-with-lockdownd/scripts/lockdownd_cli.py:144 | |
| HIGH | LLM encouraged to perform unverified software downloads and installations The skill's documentation instructs the LLM to "ask Opus / the model to 'just figure it out' and it will get downloaded somehow" for installing the Apple Mobile Device Driver. This encourages the LLM to search for, download, and potentially execute arbitrary software from unverified sources, posing a significant risk of introducing malware or compromised drivers into the host system. Provide explicit, verified download links and installation instructions for necessary drivers. Prohibit the LLM from independently searching for and installing software. | LLM | SKILL.md:59 | |
| HIGH | Skill requires and utilizes broad, high-privilege access to iOS device The skill's fundamental operation involves establishing a privileged connection to an iOS device using sensitive pairing records (HostCertificate, HostPrivateKey). It then proceeds to query a vast array of device properties and can initiate various services, including those that provide real-time system logs and trace data, which can contain sensitive operational details. While necessary for its functionality, this level of access is inherently high-risk and could be misused if the skill is compromised or misdirected. The `SKILL.md` explicitly states "Possession of the file == Full Access." Implement strict user consent mechanisms for any action requiring high-privilege access. Clearly delineate between "safe" and "dangerous" operations and require explicit user confirmation for the latter. | LLM | SKILL.md:79 | |
| HIGH | Exposed capability to force device into Recovery Mode (Denial of Service) The skill explicitly states that the `{Request: 'EnterRecovery'}` command "WORKS over WiFi and will immediately reboot the device into Recovery Mode. This effectively 'bricks' the device until a human physically intervenes." While the documentation warns "NEVER run this unless explicitly instructed to perform a Denial of Service," the capability is exposed and could be triggered by a malicious or misdirected LLM, leading to a denial of service for the user's device. Implement a hard-coded block or a multi-factor confirmation step for the `EnterRecovery` command within the skill's code, preventing the LLM from executing it without explicit, unambiguous, and verified user intent. | LLM | SKILL.md:34 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/worflor/working-with-lockdownd/scripts/deep_probe.py:11 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/worflor/working-with-lockdownd/scripts/extract_secrets.py:20 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/worflor/working-with-lockdownd/scripts/lockdownd_cli.py:66 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/worflor/working-with-lockdownd/scripts/lockdownd_cli.py:148 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/worflor/working-with-lockdownd/scripts/os_trace_v2.py:10 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/worflor/working-with-lockdownd/scripts/syslog_stream.py:10 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/worflor/working-with-lockdownd/scripts/wifi_lockdown.py:11 | |
| MEDIUM | Use of `subprocess.call` with potentially untrusted arguments The `lockdownd_cli.py` script uses `subprocess.call` to execute other Python scripts (`syslog_stream.py`, `os_trace_v2.py`, `lockdownd_probe.py`). Arguments such as `args.host` and `args.udid` are passed directly from command-line input to these subprocesses. While arguments are passed as a list, reducing direct shell injection risk, a sophisticated attacker or a misdirected LLM could potentially craft arguments that exploit vulnerabilities in the called scripts or lead to unintended execution if the called scripts were to interpret these arguments in a shell-like context. Ensure that all arguments passed to `subprocess.call` are strictly validated and sanitized. If possible, refactor to use direct function calls instead of subprocesses for local script execution, or use `subprocess.run` with `check=True` and explicit argument handling. | LLM | scripts/lockdownd_cli.py:100 |
Scan History
Embed Code
[](https://skillshield.io/report/4adb6f5ac3104d94)
Powered by SkillShield