Security Audit

flutter

github.com/anton-abyzov/specweave

AI SkillCommit 1823c3f6cf4d

TRUSTED

Scanned 5 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

flutter received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Potential Command Injection via Bash Code Block.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 15, 2026 (commit 1823c3f6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	plugins/specweave-mobile/skills/flutter/SKILL.md:1
MEDIUM	Potential Command Injection via Bash Code Block The skill's documentation contains a bash code block. While the command `flutter create` is benign, the presence of executable shell commands within untrusted content, combined with the agent's declared 'Bash' permission, creates a vector for command injection. A malicious modification of this skill could replace the benign command with a harmful one (e.g., `rm -rf /` or data exfiltration commands), which an agent configured to execute such blocks might run. Review the agent's policy for executing shell commands found in skill documentation. If shell commands are necessary, ensure they are strictly validated, sandboxed, or require explicit user confirmation before execution. Consider if the 'Bash' permission is truly necessary for this skill's intended function, or if instructions for the user would suffice.	Static	SKILL.md:11

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7fdbd0b5892c6e3d.svg)](https://skillshield.io/report/7fdbd0b5892c6e3d)