Skill Trust Decision
skill-state-manager
This skill is a credential harvesting framework that collects and stores user API keys/tokens to plaintext JSON files without encryption, posing significant phishing and credential theft risks if invoked by a malicious agent.
Most direct threat evidence
01
User installs skill-state-manager skill Entry · SKILL.md
02
Attacker invokes SSM claiming a third-party tool needs authentication reconnaissance · SKILL.md
03
User provides API keys believing it's for legitimate integration Impact · SKILL.md
Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User installs skill-state-manager skill
Entry · SKILL.md:1
02
Attacker invokes SSM claiming a third-party tool needs authentication
reconnaissance · SKILL.md:22
03
User provides API keys believing it's for legitimate integration
Impact · SKILL.md:37
04
Credentials stored in plaintext ~/.ai-skills-state/<tool>.json
Impact · SKILL.md:43
05
Attacker reads stored credentials from filesystem
Exfiltration · SKILL.md:44
What drove the risk score up
Credential harvesting framework +25
Skill explicitly collects API keys/tokens through conversational UI
Unencrypted plaintext storage +20
Credentials stored in ~/.ai-skills-state/*.json without encryption
No code implementation to audit +10
Only SKILL.md exists; actual behavior depends on invoking agent
Most important evidence
High
Credential Harvesting Framework
The skill is explicitly designed to collect API keys, tokens, and secrets from users through conversational prompts. While this is declared behavior, it creates a phishing surface if invoked by a malicious agent.
SKILL.md:1 Do not use skills that collect credentials through conversational interfaces
High
Plaintext Credential Storage
Credentials are stored as unencrypted JSON files in user home directories (~/.ai-skills-state/ or ~/.claude/skills-state/). Any malware or unauthorized access to the system can read these secrets.
SKILL.md:43 Use encrypted secret storage mechanisms (keyring, OS keychain, encrypted vaults)
Medium
No Encryption or Security Controls
The skill makes no mention of encrypting stored credentials, access controls, or any security measures beyond 'saving' to JSON.
SKILL.md:40 Legitimate credential managers use OS keychains or encrypted storage
Low
Implementation Not Included
Only a SKILL.md file exists; there is no actual Python/script implementation to audit for hidden functionality. Behavior depends entirely on the invoking AI agent.
SKILL.md:1 Request full source code implementation before using any credential-handling skill
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md:43-47 Write to JSON files in ~/.claude/skills-state/ or ~/.ai-skills-state/ Suspicious artifacts and egress
Medium External URL
https://myorg.atlassian.net SKILL.md:61
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 62 lines
Markdown 1 files · 62 lines
Files of concern · 1
SKILL.md Credential Harvesting Framework · Plaintext Credential Storage · No Encryption or Security Controls · Implementation Not Included · https://myorg.atlassian.net
Security positives
Declared behavior matches documentation - no hidden functionality detected
Skill uses standard filesystem paths for storage (predictable)
No network calls, shell execution, or base64 encoded payloads observed