Trust Assessment
zero-rules received a trust score of 34/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 0 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Node lockfile missing, Potential Command Injection via `exec` tool invocation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/deeqyaqub1-cmd/zero-rules/rules.js:8 | |
| CRITICAL | Potential Command Injection via `exec` tool invocation The skill's `SKILL.md` instructs the host LLM to invoke the `rules.js` script using an `exec` tool, passing the user's message as a single command-line argument: `node {baseDir}/rules.js "<user message>"`. If the `exec` tool does not properly escape the `<user message>` before executing the command in a shell, a malicious user could inject arbitrary shell commands (e.g., `foo"; rm -rf /`). While the `rules.js` script itself does not use `child_process.exec` or similar internally, the recommended invocation method creates a critical command injection vulnerability if the host environment's `exec` tool is not robustly secured against shell metacharacters. The host LLM's `exec` tool must ensure robust shell escaping of all user-provided arguments. The skill developer should explicitly state this requirement in the documentation or provide an alternative invocation method that uses a more secure API (e.g., `child_process.spawn` with arguments passed as an array, not a single string) to prevent shell interpretation of user input. | LLM | SKILL.md:37 | |
| MEDIUM | Information Disclosure via Excessive Directory Listing Permissions The 'files' rule in `rules.js` allows listing the contents (filenames) of directories within the skill's `baseDir` or the user's `HOME` directory using `fs.readdirSync(targetDir)`. Although the skill attempts to sandbox path traversal and explicitly states it doesn't read file contents, listing arbitrary filenames within these broad scopes can still expose sensitive information about the system's structure, user's installed software, or the presence of sensitive configuration files (e.g., `~/.ssh`, `~/aws`, `~/secrets`). This capability provides an attacker with reconnaissance opportunities, which is an excessive permission for a skill primarily advertised for deterministic tasks like math, time, and currency conversion. Restrict the 'files' rule to a very specific, non-sensitive directory (e.g., a temporary skill-specific directory) or remove the file listing capability if it is not strictly necessary for the skill's core function. If listing is required, implement a strict allowlist of directories or file patterns, rather than allowing arbitrary paths within `HOME` or `baseDir`. | LLM | rules.js:240 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/deeqyaqub1-cmd/zero-rules/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/eac025d2d111f2ca)
Powered by SkillShield