Trust Assessment
steve2 received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 6 critical, 5 high, 0 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: AI agent config, User input '$ARGUMENTS' directly injected into subagent prompt with bypassPermissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit e47452f4). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | steve2/SKILL.md:9 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | steve2/SKILL.md:22 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | steve2/SKILL.md:52 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | steve2/SKILL.md:65 | |
| CRITICAL | User input '$ARGUMENTS' directly injected into subagent prompt with bypassPermissions The skill directly embeds the user's `$ARGUMENTS` into the prompt for a subagent invoked via the `Task` tool. This subagent is explicitly granted `bypassPermissions`, allowing it to operate with elevated privileges. An attacker can craft malicious `$ARGUMENTS` to inject arbitrary instructions into the subagent, potentially leading to unauthorized actions, data exfiltration, or further command injection. This is a direct prompt injection vector into a highly privileged execution context. User input (`$ARGUMENTS`) must be strictly sanitized, validated, and ideally passed as structured data rather than directly embedded into natural language prompts, especially when invoking subagents with elevated permissions. Consider using a dedicated parameter for the project description that is not interpreted as instructions by the subagent. Re-evaluate the necessity of `bypassPermissions` for subagents handling user input. | LLM | SKILL.md:30 | |
| CRITICAL | Subagents invoked with 'bypassPermissions' mode The skill explicitly invokes multiple subagents using the `Task` tool with `mode: "bypassPermissions"`. This grants these subagents unrestricted access to the environment, bypassing standard security controls. When combined with the direct injection of user-controlled input (as identified in the prompt injection finding), this creates a severe vulnerability where an attacker can execute arbitrary code or perform unauthorized actions with elevated privileges. Avoid using `bypassPermissions` unless absolutely necessary and with extreme caution. If elevated privileges are required, ensure that all inputs to the subagent are thoroughly sanitized and validated, and that the subagent's actions are strictly confined to the minimum necessary scope. Consider using a more granular permission model or sandboxing for subagent execution. | Static | SKILL.md:29 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | steve2/SKILL.md:9 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | steve2/SKILL.md:22 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | steve2/SKILL.md:52 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | steve2/SKILL.md:65 | |
| HIGH | Subagents instructed to 'execute all steps' from templates with bypassPermissions The skill instructs subagents (operating with `bypassPermissions`) to 'execute all steps' from template files (e.g., `phase0-equip.md`). While the skill itself doesn't directly construct shell commands from user input in the provided snippet, the combination of `bypassPermissions`, user-controlled prompt injection into the subagent, and the instruction to 'execute all steps' from potentially dynamic templates creates a high risk of command injection. An attacker could inject instructions into the subagent's prompt that lead it to generate and execute arbitrary shell commands, leveraging its elevated permissions. Implement strict sandboxing for subagents. Review the contents of the template files (`phase0-equip.md`, etc.) to ensure they do not contain or allow for the generation of arbitrary commands. If commands must be executed, ensure they are hardcoded or constructed from strictly validated and sanitized inputs, and executed with the least privilege necessary. | Static | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/441c029c702b1deb)
Powered by SkillShield