Trust Assessment
develop-web-game received a trust score of 38/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Suspicious Global Package Installation (Typosquatting).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Suspicious Global Package Installation (Typosquatting) The skill instructs the agent to install a global npm package named `@playwright/mcp@latest`. This package name is highly suspicious and strongly indicative of typosquatting. The official Playwright packages do not use `mcp` in their name. Installing an unverified package globally with `@latest` allows arbitrary code execution during installation (via `postinstall` scripts) and grants the package broad system-level permissions, posing a severe supply chain risk and potential command injection vector. Remove the instruction to install `@playwright/mcp@latest`. If Playwright is required, instruct the agent to install the official `playwright` package, preferably as a local dependency with a pinned version, or provide a verified installation method. | Static | SKILL.md:109 | |
| HIGH | Arbitrary File Read via Command Line Argument The `scripts/web_game_playwright_client.js` script reads the content of a file specified by the `--actions-file` command-line argument using `fs.readFileSync`. While the skill recommends using a provided reference file, an attacker could manipulate this argument to point to any arbitrary file on the filesystem (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, environment variable files). This allows for potential data exfiltration if the contents of the read file can then be output or transmitted. Implement strict validation and sanitization for the `--actions-file` argument. Restrict file paths to a predefined, secure directory or use a whitelist of allowed files. Avoid allowing arbitrary file paths to be read. If reading arbitrary files is strictly necessary, ensure the agent's execution environment is sandboxed and has minimal filesystem permissions. | Static | scripts/web_game_playwright_client.js:109 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Arbitrary File Write via Command Line Argument The `scripts/web_game_playwright_client.js` script writes various output files (screenshots, console errors, game state JSON) to a directory specified by the `--screenshot-dir` command-line argument. An attacker could manipulate this argument to specify an absolute path or a path that traverses directories (e.g., `../../../../tmp/malicious_output`), potentially overwriting important system files, filling up disk space in unintended locations, or writing to sensitive directories. Implement strict validation and sanitization for the `--screenshot-dir` argument. Ensure that the path is relative to a secure, designated output directory and prevent directory traversal. Consider using a temporary directory for output files if persistence is not strictly required, or enforce a specific output root. | Static | scripts/web_game_playwright_client.js:20 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/f0f84177f18b1c48)
Powered by SkillShield