Trust Assessment
wpstime-punchclock received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Command Injection risk in chat wizard setup instructions, Explicit credential harvesting risk in chat-based setup, Arbitrary file write via `--outDir` parameter.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection risk in chat wizard setup instructions The `SKILL.md` provides instructions for a 'chat wizard setup' (Option B) that involves constructing and executing a `security add-generic-password` shell command using user-provided `companyId`, `username`, and `password`. If the LLM implements this by directly interpolating unsanitized user input into a shell command string, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system. For example, a malicious username like `myuser" -w "mypassword" -D; rm -rf /` could be used. When implementing 'Option B', the LLM must ensure that all user-provided inputs (`companyId`, `username`, `password`) are properly sanitized and escaped before being passed to `security add-generic-password` if executed via a shell. Alternatively, use `execFile` with an array of arguments, which prevents shell injection, or guide the user to run the `setup.mjs` script directly, which handles input securely. | LLM | SKILL.md:49 | |
| HIGH | Explicit credential harvesting risk in chat-based setup The `SKILL.md` describes an 'Option B: chat wizard setup' where the LLM is instructed to collect `companyId`, `username`, and `password` directly from the user via chat. The skill explicitly warns that 'the password will be sent via chat and may be stored by the chat platform + gateway logs.' This design choice inherently poses a high risk of credential harvesting, as sensitive user credentials (password) are exposed in the chat history, making them vulnerable to logging and potential compromise. Strongly recommend against implementing 'Option B' for password collection. Instead, always guide users to use 'Option A: local terminal setup' which leverages macOS Keychain directly, preventing credentials from ever appearing in chat logs. If a chat-based setup is absolutely necessary, implement a secure out-of-band mechanism for password entry that does not expose it in chat history. | LLM | SKILL.md:35 | |
| MEDIUM | Arbitrary file write via `--outDir` parameter The `scripts/punchclock.mjs` script accepts an `--outDir` command-line argument to specify where screenshots should be saved. The script uses `path.resolve` and `path.join` with this argument without explicit sanitization or validation. If the LLM passes untrusted user input directly to `--outDir`, an attacker could specify an arbitrary path, potentially leading to writing files (screenshots) to sensitive system directories or web-accessible locations, which could facilitate data exfiltration or denial of service. The LLM should validate and sanitize any user-provided input for the `--outDir` argument to ensure it points to a safe, intended directory, or restrict it to a predefined set of paths. The `punchclock.mjs` script itself could also implement stricter validation on `outDir` to prevent path traversal (e.g., ensuring it's within a designated output directory). | LLM | scripts/punchclock.mjs:30 |
Scan History
Embed Code
[](https://skillshield.io/report/b732c4423f37717e)
Powered by SkillShield