Security Audit

CyrusSE/use-skills:skills/use-skills

github.com/CyrusSE/use-skills

AI SkillCommit 865ba6bf8c64

TRUSTED

Scanned 30 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

CyrusSE/use-skills:skills/use-skills received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Prompt Injection via User-Provided Skill Descriptions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on May 1, 2026 (commit 865ba6bf). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Prompt Injection via User-Provided Skill Descriptions The `use-skills` skill instructs the LLM to read and interpret descriptions of skills, including those provided by the user (e.g., via `<skill><name>...</name><description>...</description></skill>` blocks). The LLM uses these descriptions to determine skill relevance and to draft parts of the mode menu (specifically the 'For:' lines and candidate lists). A malicious user could embed prompt injection instructions within a crafted skill description. When the LLM processes this untrusted description to fulfill the `use-skills` instructions (e.g., to decide if a skill has a 'meaningful primary, support, adjacent-context, prompt-quality, wording, planning, or framing role'), it could be manipulated into executing the injected commands, leading to unintended actions, data exposure, or denial of service. Implement strict sanitization or a 'read-only' mode for user-provided skill descriptions before the LLM processes them for relevance or display. Alternatively, use a separate, sandboxed LLM call to summarize or extract keywords from user-provided descriptions without allowing it to execute instructions. The primary LLM should only receive sanitized metadata, not raw untrusted descriptions. If raw descriptions must be processed, ensure strong system prompts are in place to prevent instruction following from untrusted content.	LLM	SKILL.md:71

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b1a5cf399c9580a7.svg)](https://skillshield.io/report/b1a5cf399c9580a7)