Trust Assessment
artifacts-builder received a trust score of 57/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Unsanitized user input in shell command leads to command injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsanitized user input in shell command leads to command injection The `PROJECT_NAME` variable, which is derived directly from user input (`$1`), is used unsanitized within a `sed` command. A malicious user can inject shell metacharacters (e.g., `'`, `;`, `|`, `&`) into `PROJECT_NAME` to break out of the `sed` command's argument and execute arbitrary shell commands on the system where the script is run. For example, providing `foo'; rm -rf /; echo 'bar` as the project name would execute `rm -rf /`. Sanitize `PROJECT_NAME` by escaping all shell metacharacters before using it in shell commands. A robust solution would involve validating the input to ensure it only contains allowed characters (e.g., alphanumeric, hyphens) or using a safer method for file manipulation that doesn't involve direct shell command concatenation with untrusted input. | LLM | scripts/init-artifact.sh:69 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Global package installation from untrusted source The `init-artifact.sh` script attempts to globally install `pnpm` using `npm install -g pnpm` if `pnpm` is not found. This introduces a supply chain risk, as a compromised `npm` registry or a malicious `pnpm` package could lead to arbitrary code execution on the system where the skill is run. Global installations are particularly risky as they affect the entire system. Avoid global package installations within skills. If `pnpm` is a prerequisite, instruct the user to install it manually or ensure it's available in the environment. If absolutely necessary to install programmatically, consider pinning to a specific, verified version and using integrity checks (e.g., `npm install -g pnpm@<version> --integrity <hash>`) or using a private, trusted registry. | LLM | scripts/init-artifact.sh:50 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/43d2d236ca67184f)
Powered by SkillShield