Trust Assessment
workspace-explorer received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include Remote Workspace Exposure and Credential Exfiltration, Unverified Binary Downloads and Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote Workspace Exposure and Credential Exfiltration The skill's primary function is to expose the agent's local workspace to the internet via a temporary VS Code environment and Cloudflare tunnel. It explicitly generates and prints a public URL and a cryptographically secure password directly to the terminal. The skill then instructs the agent to 'Share the URL and password with your owner.' This constitutes a direct instruction for exfiltrating sensitive access credentials and exposing potentially large amounts of local data. The `code-server` running within the exposed workspace will have broad filesystem access to the specified directory, posing a significant data exfiltration and excessive permissions risk. 1. **Explicit User Consent**: Require explicit, interactive user consent before exposing the workspace and sharing credentials. 2. **Scope Limitation**: Ensure the `workspace` path is strictly validated and limited to the minimum necessary directory, preventing exposure of sensitive system paths. 3. **Secure Credential Handling**: Avoid printing credentials directly to stdout. Instead, use secure channels for sharing or temporary, one-time access tokens. 4. **Audit Logging**: Implement comprehensive logging of access attempts and session activity. | LLM | SKILL.md:28 | |
| CRITICAL | Unverified Binary Downloads and Execution The skill explicitly states it will 'Download binaries on first run (code-server + cloudflared)'. The `SKILL.md` does not specify the source URLs, expected checksums, or pinned versions for these binaries. This introduces a critical supply chain risk, as the agent could download and execute arbitrary, potentially malicious code if the download mechanism is compromised or if the default download sources are untrustworthy. This also implies shell execution for the download and subsequent running of these external binaries without explicit verification. 1. **Pin Versions and Checksums**: Always specify exact versions for external binaries and verify their integrity using cryptographic checksums (e.g., SHA256) against known good values. 2. **Trusted Sources**: Only download binaries from official, trusted sources over HTTPS. 3. **Isolate Downloads**: Perform downloads and executions in an isolated environment (e.g., container, sandbox) to limit potential blast radius. 4. **User Notification**: Inform the user about external binary downloads and their sources. | LLM | SKILL.md:26 |
Scan History
Embed Code
[](https://skillshield.io/report/1d646128400f258b)
Powered by SkillShield