Trust Assessment
x-bookmark-archiver received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 4 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, External Command Execution with Untrusted Dependency, Untrusted Input Sent to LLM API.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | External Command Execution with Untrusted Dependency The skill executes the `bird` CLI using `child_process.execSync`. While the arguments passed to `bird` are controlled by the skill, the `bird` binary itself is an external, user-installed dependency. If the `bird` CLI is compromised or has vulnerabilities (e.g., command injection in its own argument parsing), this could lead to arbitrary code execution on the host system. The skill relies on the user to install a trusted version of `bird` from an external source without version pinning or integrity checks. Avoid direct execution of external, unverified binaries. If absolutely necessary, ensure the binary is sandboxed, its arguments are strictly validated, and its source is pinned and verified (e.g., via checksums). Consider wrapping the external tool in a more controlled environment or using a library that provides similar functionality without direct shell execution. | LLM | scripts/fetch.cjs:14 | |
| HIGH | Untrusted Input Sent to LLM API The `generateMetadata` function sends user-controlled `url` and `originalText` (derived from X bookmarks) directly into a prompt for the OpenAI API. A malicious actor could craft a bookmark URL or text containing prompt injection instructions, potentially manipulating the AI's response to generate misleading summaries, titles, or tags, or even attempt to extract information from the LLM's context if the model is vulnerable. Implement robust input sanitization and validation for `url` and `originalText` before incorporating them into the LLM prompt. Consider using techniques like prompt templating with strict variable substitution, or passing untrusted data as separate parameters to the LLM API if supported, rather than embedding directly in the prompt string. | LLM | scripts/process.cjs:120 | |
| HIGH | Output Directories Controllable by Environment Variables The skill allows the `OPENCLAW_WORKSPACE` and `X_BOOKMARK_STATE_DIR` environment variables to override the default output directories for archived markdown files and state files, respectively. If an attacker can control these environment variables, they could direct the skill to write files to arbitrary locations on the filesystem. Although filenames are sanitized, writing to sensitive system directories could lead to denial of service, data corruption, or potentially privilege escalation if combined with other vulnerabilities. Restrict the ability to override critical output paths via environment variables. If customization is necessary, ensure that paths are strictly validated to be within a designated, sandboxed directory (e.g., using `path.resolve` and checking against a base directory) and do not allow absolute paths or path traversal sequences (`..`). | LLM | scripts/process.cjs:30 | |
| HIGH | Unpinned External Binary Dependency (bird CLI) The skill relies on the `bird CLI` as a prerequisite, instructing users to install it manually from GitHub. There is no version pinning, checksum verification, or consistent source URL provided (`steipete/bird` in `SKILL.md` vs `smmr-software/bird` in `fetch.cjs` error message). This exposes users to significant supply chain risks, as a compromised or malicious version of the `bird` CLI could be installed, leading to arbitrary code execution when the skill invokes it. For external binary dependencies, provide clear, consistent installation instructions with specific version pinning (e.g., a specific release tag or commit hash) and cryptographic hash (checksum) verification. Ideally, package the dependency or use a trusted package manager if available. | LLM | SKILL.md:11 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/iamadig/x-bookmark-archiver/SKILL.md:1 | |
| MEDIUM | Server-Side Request Forgery (SSRF) via URL Expansion The `expandUrl` function performs an `https.get` HEAD request on URLs obtained from untrusted X bookmark data. While intended for `t.co` link expansion, a malicious URL could potentially target internal network resources (SSRF), allowing an attacker to probe internal services, scan ports, or gather information about the internal network. Although only a HEAD request is made, it still constitutes an information leakage risk. Implement strict URL validation to ensure that only public, external URLs are accessed. Consider using a whitelist of allowed domains or IP ranges, and disallow private IP addresses, loopback addresses, and non-HTTP/HTTPS schemes. | LLM | scripts/process.cjs:67 |
Scan History
Embed Code
[](https://skillshield.io/report/759413758e585384)
Powered by SkillShield