Trust Assessment
workspace-anchor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 10 critical, 2 high, 3 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zenchantlive/workspace-anchor/cli.js:8 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zenchantlive/workspace-anchor/lib/discover.js:10 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zenchantlive/workspace-anchor/lib/validate.js:10 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zenchantlive/workspace-anchor/cli.js:22 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zenchantlive/workspace-anchor/lib/discover.js:103 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zenchantlive/workspace-anchor/lib/validate.js:51 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zenchantlive/workspace-anchor/lib/validate.js:63 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zenchantlive/workspace-anchor/lib/validate.js:161 | |
| CRITICAL | Skill instructs LLM to use `exec` for path discovery The skill's `SKILL.md` explicitly instructs the host LLM to use `exec` to find files. This is a direct manipulation attempt on the host LLM's behavior, encouraging it to perform a potentially dangerous action (`exec`) which can lead to command injection if the LLM constructs the `exec` command with untrusted input. Remove instructions for the LLM to use `exec`. The skill should provide its own safe methods for path discovery, or the LLM should be configured to refuse such instructions from untrusted skill descriptions. | LLM | SKILL.md:8 | |
| CRITICAL | Direct user input passed to `execSync` with `bash` without sanitization The `validateWithEnforcer` function in `lib/validate.js` constructs a `bash` command using `execSync` and directly embeds `targetPath` (which comes from `process.argv`) into the command string. Although `targetPath` is quoted, this does not prevent command injection via shell metacharacters like command substitution (`$(...)`), backticks, or maliciously crafted quotes that can break out of the string. An attacker can provide a `targetPath` that executes arbitrary shell commands. Avoid using `execSync` with unsanitized user input in a shell command string. If `bash` execution is necessary, use `spawn` with an array of arguments to prevent shell interpretation, or rigorously sanitize and escape `targetPath` for shell execution (e.g., using a library that handles shell escaping). | LLM | lib/validate.js:149 | |
| HIGH | `execSync` used with potentially unvalidated path in `find` command The `findLockFiles` function uses `execSync` to run a `find` command. The path `expanded` (derived from `defaults.json` or environment variables) is enclosed in double quotes, which mitigates some injection risks. However, if `expanded` contains carefully crafted shell metacharacters (e.g., `$(command)`, backticks, or escaped quotes), it could lead to command injection. While `defaults.json` is part of the skill, it is still untrusted content in the context of this analysis. Use Node.js's built-in `fs` module for directory traversal instead of `execSync('find ...')`. If shell execution is unavoidable, use `spawn` with an array of arguments to prevent shell interpretation, or rigorously sanitize/escape all input before passing it to `execSync`. | LLM | lib/discover.js:96 | |
| HIGH | `execSync` used with potentially unvalidated path from `.project-lock` in `find` command The `getCurrentProject` function in `lib/validate.js` uses `execSync` to run a `find` command. The `currentRoot` variable, derived from the `ROOT` field within `~/clawd/.project-lock`, is used in the `find` command. If an attacker can control the content of `~/clawd/.project-lock` (e.g., by creating a malicious project or modifying an existing one), they could inject shell metacharacters into the `ROOT` path, leading to command injection when `execSync` is called. Use Node.js's built-in `fs` module for directory traversal instead of `execSync('find ...')`. If shell execution is unavoidable, rigorously sanitize/escape all input derived from `.project-lock` files before passing it to `execSync`. | LLM | lib/validate.js:59 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/zenchantlive/workspace-anchor/lib/validate.js:168 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/zenchantlive/workspace-anchor/SKILL.md:1 | |
| MEDIUM | Skill allows writing `.project-lock` to arbitrary paths The `createLockFile` function takes `rootPath` directly from `process.argv` and writes a `.project-lock` file to `path.join(rootPath, '.project-lock')`. An attacker could specify a sensitive `rootPath` (e.g., `/etc`, `/usr/local/bin`) to attempt to write files to arbitrary locations, potentially overwriting existing files or creating malicious configuration files, even if permissions often prevent success. The `expandPath` function also allows for environment variable expansion, which could be abused. Restrict `rootPath` to a predefined set of safe directories (e.g., user's home directory, specific project directories) or validate that the path is within an allowed project workspace before writing. | LLM | lib/create.js:70 |
Scan History
Embed Code
[](https://skillshield.io/report/81f22d064ec70924)
Powered by SkillShield