Security Audit
Sounder25/Google-Antigravity-Skills-Library:16_mcp_connector
github.com/Sounder25/Google-Antigravity-Skills-LibraryTrust Assessment
Sounder25/Google-Antigravity-Skills-Library:16_mcp_connector received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 3 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Arbitrary command injection via `run_skill` arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 28, 2026 (commit 09376edc). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | 16_mcp_connector/server.py:46 | |
| CRITICAL | Arbitrary command injection via `run_skill` arguments The `run_skill` function directly appends the result of `args.split()` to the PowerShell command list executed via `subprocess.run`. This allows an attacker to inject arbitrary PowerShell commands or parameters by crafting the `args` string (e.g., `'; malicious_command'`), leading to arbitrary code execution on the host system with the privileges of the Python process. The use of `-ExecutionPolicy Bypass` further lowers the bar for successful exploitation. Do not directly split and append user-controlled input to a command list. Instead, pass the `args` string as a single, properly quoted argument to the PowerShell script, or define specific, validated parameters for skills. If `args` must be parsed by Python, use `shlex.quote` on each argument before passing it to `subprocess.run`, or use a more robust argument parsing library that handles shell injection safely. | Static | server.py:45 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_skill'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | 16_mcp_connector/server.py:46 | |
| HIGH | Arbitrary file read via path traversal in `read_skill_spec` The `read_skill_spec` function constructs a file path using `os.path.join(SKILLS_ROOT, skill_id, "SKILL.md")`. The `skill_id` parameter is not sanitized, allowing an attacker to use path traversal sequences (e.g., `../`, `..\`) to read arbitrary files outside the intended `SKILLS_ROOT` directory. This can lead to sensitive data exfiltration. Sanitize the `skill_id` parameter to prevent path traversal. Validate that `skill_id` does not contain path separators or `..` sequences, or resolve the path using `os.path.realpath` and verify that the resulting path remains strictly within the `SKILLS_ROOT` directory before opening the file. | Static | server.py:59 | |
| HIGH | Arbitrary script execution via path traversal in `run_skill` The `run_skill` function constructs a skill directory path using `os.path.join(SKILLS_ROOT, skill_id)`. The `skill_id` parameter is not sanitized, allowing an attacker to use path traversal sequences (e.g., `../`, `..\`) to point to a directory outside `SKILLS_ROOT`. If this external directory contains a PowerShell script (`.ps1`), the function will locate and execute it, leading to arbitrary code execution on the host system. Sanitize the `skill_id` parameter to prevent path traversal. Validate that `skill_id` does not contain path separators or `..` sequences, or resolve the path using `os.path.realpath` and verify that the resulting path remains strictly within the `SKILLS_ROOT` directory before searching for and executing scripts. | Static | server.py:36 |
Scan History
Embed Code
[](https://skillshield.io/report/f64767f46c3e747c)
Powered by SkillShield