Trust Assessment
last30days received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 3 critical, 3 high, 1 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, File read + network send exfiltration, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/last30days/SKILL.md:89 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/last30days/scripts/lib/env.py:41 | |
| CRITICAL | Prompt Injection via Untrusted Skill Instructions The skill's `SKILL.md` file, which is explicitly marked as untrusted input, contains direct instructions to the host LLM using imperative language (e.g., 'CRITICAL:', 'IMPORTANT:', 'DO NOT'). This attempts to manipulate the LLM's behavior and override its core instructions, which is a form of prompt injection. The LLM should not follow instructions embedded within untrusted content. Remove all direct instructions, imperatives, and meta-commands (like 'CRITICAL:', 'IMPORTANT:') from the untrusted skill content. The skill's logic should be implemented in code, and the `SKILL.md` should only provide descriptive information or examples, not instructions to the LLM. | LLM | SKILL.md:20 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/last30days/scripts/lib/env.py:41 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/last30days/SKILL.md:89 | |
| HIGH | Command Injection via Unsanitized User Arguments The skill executes a Python script using `bash` and directly interpolates the user-controlled `$ARGUMENTS` variable into the command: `python3 ~/.claude/skills/last30days/scripts/last30days.py "$ARGUMENTS" --emit=compact 2>&1`. If a malicious user provides input containing shell metacharacters (e.g., `;`, `&&`, `|`, `$(...)`), these characters will be interpreted by the shell, allowing the attacker to execute arbitrary commands on the host system. This is a classic command injection vulnerability. Avoid direct interpolation of user-controlled input into shell commands. Instead, pass arguments as distinct parameters to the Python script, allowing `argparse` or similar libraries to handle them safely. If shell execution is unavoidable, ensure all user-controlled input is rigorously sanitized or properly quoted to prevent metacharacter interpretation. For example, use `shlex.quote()` in Python before passing arguments to a shell command. | LLM | SKILL.md:100 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/last30days/scripts/lib/http.py:8 | |
| INFO | Handling of Sensitive API Keys The skill instructs the user to provide API keys (`OPENAI_API_KEY`, `XAI_API_KEY`) and stores them in a local `.env` file (`~/.config/last30days/.env`) with `chmod 600`. While the `chmod 600` instruction is a good security practice to restrict file permissions, and the keys are used for their intended purpose (making API calls to external services), the handling of sensitive credentials by any skill introduces a potential risk. A compromised or malicious skill could theoretically exfiltrate these keys, although no explicit exfiltration is observed in the provided code. Ensure robust input validation and sandboxing for any skill that handles sensitive credentials. While the current implementation follows best practices for local storage, consider alternative credential management solutions (e.g., platform-managed secrets, short-lived tokens) if available, to minimize the attack surface. Regularly audit the skill's code for any unintended data access or network activity. | LLM | SKILL.md:78 |
Scan History
Embed Code
[](https://skillshield.io/report/a3190d749bf724cf)
Powered by SkillShield