Trust Assessment
clinical-reports received a trust score of 61/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Dangerous tool allowed: Bash, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | cli-tool/components/skills/scientific/clinical-reports/SKILL.md:1 | |
| HIGH | Prompt Injection: Mandatory Instruction in Untrusted Content The skill's primary documentation (SKILL.md), which is explicitly designated as untrusted input, contains a direct instruction to the host LLM: '⚠️ MANDATORY: Every clinical report MUST include at least 1 AI-generated figure using the scientific-schematics skill.' This violates the security principle that untrusted content should not contain instructions for the LLM. Such embedded commands can dictate the LLM's behavior (e.g., invoking another skill) based on data that should be treated as inert. While this specific instruction is functional rather than overtly malicious (like 'ignore previous instructions'), it still represents a bypass of the untrusted content boundary by attempting to control the LLM's actions. Remove direct instructions to the LLM from untrusted content. If a specific behavior or tool invocation is a functional requirement for the skill, it should be implemented as a programmatic constraint or a trusted instruction outside the untrusted input delimiters. For user guidance, rephrase such requirements as suggestions or examples of expected output rather than direct commands to the LLM. | LLM | SKILL.md:29 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/8f576e69c8bae791)
Powered by SkillShield