Trust Assessment
file-validator received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unrestricted file path in MIME type check.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit de937128). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unrestricted file path in MIME type check The `check_mime_type` function accepts an arbitrary `filepath` argument without any path sanitization or directory restriction. This allows an attacker to probe the existence and MIME type of any file on the system, potentially leading to information disclosure about sensitive files outside the intended `~/documents/` scope. While the `validate_file` function correctly restricts file access, `check_mime_type` does not enforce these same safety measures, creating an information leakage vulnerability if the LLM can call it directly. Modify `check_mime_type` to enforce the same path sanitization and directory restrictions as `validate_file`. For example, ensure the `filepath` is restricted to `os.path.expanduser('~/documents/')` and that only the basename is used for file operations within that directory. Alternatively, ensure `check_mime_type` is only called internally with paths already validated by `validate_file`. | LLM | validate.py:48 |
Scan History
Embed Code
[](https://skillshield.io/report/7ed7df9e9143cf66)
Powered by SkillShield