Skill Trust Decision
hostlink
Skill provides documented but undeclared shell:WRITE access to the host system with no allowed-tools declaration, and HOSTLINK_TOKEN authentication credential is central to its operation without explicit handling warnings.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
No allowed-tools declaration +20
SKILL.md never declares shell:WRITE permission despite being the core capability
Critical credential handling +15
HOSTLINK_TOKEN enables arbitrary host command execution as root; no handling guidance provided
Host privilege escalation undeclared +10
Skill enables execution as root on host but SKILL.md lacks any security caveats
Most important evidence
Medium Doc Mismatch
No allowed-tools declaration despite full shell access
The skill's primary function is executing arbitrary shell commands on the host system, yet SKILL.md contains no 'allowed-tools' section. Users cannot determine the actual permissions being granted.
SKILL.md:1 Add an allowed-tools section declaring shell:WRITE permission
Medium Priv Escalation
Root-level host command execution undeclared in security terms
The skill can execute arbitrary commands as root on the host system. References/setup.md notes 'All commands run as the user hostlinkd is started as (typically root if using systemd).' This is a critical privilege escalation vector with no warnings in SKILL.md.
references/setup.md:92 Add prominent security warnings about root privilege escalation risk
Medium Credential Theft
HOSTLINK_TOKEN critical credential without handling guidance
The HOSTLINK_TOKEN is the sole authentication mechanism enabling arbitrary command execution on the host. It functions like a password or API key, yet SKILL.md provides no guidance on protecting it or warning that it should not be logged or exposed.
SKILL.md:17 Add credential handling guidelines; warn against logging or exposing the token
Low Sensitive Access
Documents access to sensitive host paths
The skill documents access to potentially sensitive paths on the host: ~/.cache/huggingface/hub, Docker socket/management, and arbitrary home directory contents. No guidance on what should not be accessed.
SKILL.md:38 Document which host paths should be considered off-limits
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md:1 - All examples use 'hostlink exec' for arbitrary shell commands Filesystem Block
Declared NONE
→ Inferred READ
SKILL.md:35-36 - Documents 'hostlink exec ls /home/jebadiah/projects', 'cat /etc/hostname' Environment Block
Declared NONE
→ Inferred READ
SKILL.md:24 - Documents 'hostlink -e MY_VAR=value' for setting env vars, which implies env:READ Network Block
Declared NONE
→ Inferred READ
SKILL.md:8 - Supports TCP/WireGuard remote access; references external connections Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
2 files · 270 lines
Markdown 2 files · 270 lines
Files of concern · 2
SKILL.md No allowed-tools declaration despite full shell access · HOSTLINK_TOKEN critical credential without handling guidance · Documents access to sensitive host paths
references/setup.md Root-level host command execution undeclared in security terms
Security positives
Skill has comprehensive documentation of its capabilities and architecture
Authentication mechanism (token-based) is documented
Uses Unix socket by default (local-only without TCP exposure)
Exit codes are well-defined for error handling
Includes troubleshooting guidance for common issues