Skill Trust Decision
run402-test
Skill performs undeclared filesystem access to read stored API credentials from ~/.config/run402/ that is not mentioned in SKILL.md documentation.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
4 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Undeclared filesystem access +15
SKILL.md only shows curl examples but script reads ~/.config/run402/projects.json
Undeclared credential access +10
Reads service_key from local config without documentation
Network access not declared +10
Makes HTTP POST requests to api.run402.com not declared as capability
Most important evidence
Medium Doc Mismatch
Documentation mismatch - curl examples vs actual implementation
SKILL.md only shows curl commands for database operations but the actual sql2.mjs script reads local config files from ~/.config/run402/projects.json. This hidden file access is not documented.
sql2.mjs:10 Document that the script requires pre-existing credentials stored in ~/.config/run402/projects.json or provide setup instructions.
Medium Sensitive Access
Accesses sensitive application config directory
Script reads from ~/.config/run402/ directory which is a sensitive application configuration path containing service credentials.
sql2.mjs:8 If this is a legitimate database client, clarify that it reads locally stored credentials for authenticated API access.
Low Credential Theft
Reads service_key credential from local file
The script extracts service_key from projects.json and uses it as Bearer token for API authorization. While this may be legitimate, credential access is undeclared.
sql2.mjs:12 Document whether the script exfiltrates credentials or only uses them for legitimate API calls.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred READ
sql2.mjs:10 reads readFileSync(join(CONFIG_DIR, "projects.json")) Network Block
Declared NONE
→ Inferred WRITE
sql2.mjs:14 performs fetch() POST to api.run402.com Shell Pass
Declared NONE
→ Inferred NONE
No shell execution detected Environment Pass
Declared NONE
→ Inferred NONE
No environment variable access detected Skill Invoke Pass
Declared NONE
→ Inferred NONE
No cross-skill invocation detected Clipboard Pass
Declared NONE
→ Inferred NONE
No clipboard access detected Browser Pass
Declared NONE
→ Inferred NONE
No browser access detected Database Block
Declared NONE
→ Inferred READ
sql2.mjs:12 reads service_key from projects.json Suspicious artifacts and egress
Medium External URL
https://api.run402.com/v1/projects SKILL.md:13
Medium External URL
https://api.run402.com/admin/v1/projects/$PROJECT_ID/sql SKILL.md:24
Medium External URL
https://api.run402.com/rest/v1/todos?done=eq.false SKILL.md:33
Medium External URL
https://api.run402.com sql2.mjs:5
Dependencies and supply chain
There are no structured dependency warnings.
File composition
2 files · 58 lines
Markdown 1 files · 43 linesJavaScript 1 files · 15 lines
Files of concern · 2
SKILL.md https://api.run402.com/v1/projects · https://api.run402.com/admin/v1/projects/$PROJECT_ID/sql · https://api.run402.com/rest/v1/todos?done=eq.false
sql2.mjs Documentation mismatch - curl examples vs actual implementation · Accesses sensitive application config directory · Reads service_key credential from local file · https://api.run402.com
Security positives
HTTP requests go to a legitimate domain (api.run402.com) not a suspicious IP
No base64 encoding or obfuscation detected
No reverse shell, C2, or data exfiltration patterns
No remote script execution (curl|bash, wget|sh)
No direct credential harvesting from environment variables
No access to ~/.ssh, ~/.aws, or system credential stores