Trust Assessment
file-organizer received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Skill instructs LLM to execute shell commands with unsanitized user input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill instructs LLM to execute shell commands with unsanitized user input The skill explicitly instructs the LLM to construct and execute shell commands (e.g., `ls`, `find`, `du`, `md5`, `mkdir`, `mv`) where parts of the command, such as directory paths (`[target_directory]`, `[directory]`), are derived from user input. The skill does not provide any instructions for sanitizing or escaping these inputs before embedding them into shell commands. This creates a direct command injection vulnerability, allowing an attacker to execute arbitrary commands by crafting malicious input for directory names or file paths. Implement robust input sanitization and escaping for all user-provided strings before they are incorporated into shell commands. Consider using a safer API for filesystem operations if available, or strictly whitelist allowed characters and escape all special shell characters. For example, use `shlex.quote()` in Python or similar functions in other languages. | LLM | SKILL.md:58 | |
| HIGH | Skill requires broad filesystem read/write/delete permissions The 'file-organizer' skill is designed to perform extensive operations on the user's filesystem, including listing, moving, renaming, and deleting files and directories across potentially large scopes (e.g., 'entire home folder'). While necessary for the skill's intended purpose, this broad access significantly increases the blast radius if the skill's execution environment is compromised (e.g., via command injection). An attacker exploiting a vulnerability could leverage these permissions to read, modify, or delete critical system files or sensitive user data. Implement strict sandboxing and least privilege principles for the execution environment of this skill. Limit the directories the skill can access to only those explicitly approved by the user and necessary for the current task. Ensure that the LLM's interaction with the filesystem is mediated by a secure API that enforces these restrictions and performs proper input validation and sanitization. | LLM | SKILL.md:30 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/62b86a5c01ed47b2)
Powered by SkillShield