Security Audit

affaan-m/everything-claude-code:.cursor/skills/nutrient-document-processing

github.com/affaan-m/everything-claude-code

AI SkillCommit db27ba1eb225

CRITICAL

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

affaan-m/everything-claude-code:.cursor/skills/nutrient-document-processing received a trust score of 26/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 3 findings: 0 critical, 3 high, 0 medium, and 0 low severity. Key findings include Covert behavior / concealment directives, Unpinned dependency in MCP server configuration.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 24, 2026 (commit db27ba1e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Security Findings3

Severity	Finding	Layer	Location
HIGH	Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	.cursor/skills/nutrient-document-processing/SKILL.md:102
HIGH	Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	.cursor/skills/nutrient-document-processing/SKILL.md:152
HIGH	Unpinned dependency in MCP server configuration The `mcpServers` configuration specifies `@nutrient-sdk/dws-mcp-server` without a version constraint. When `npx` is used with an unpinned package, it will always fetch and execute the latest available version. This introduces a supply chain risk: if a malicious version of `@nutrient-sdk/dws-mcp-server` were published, it could be automatically downloaded and executed, potentially leading to arbitrary code execution on the host system. The use of the `-y` flag further exacerbates this by automatically confirming the installation without user intervention. Pin the dependency to a specific, known-good version (e.g., `"args": ["-y", "@nutrient-sdk/dws-mcp-server@1.2.3"]`). Regularly review and update the pinned version to benefit from security patches and new features while mitigating the risk of unexpected or malicious changes.	LLM	SKILL.md:109

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f3aace09c4624577.svg)](https://skillshield.io/report/f3aace09c4624577)