Trust Assessment
gepetto received a trust score of 40/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Command Injection via External Review Subagents.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via External Review Subagents The skill explicitly instructs the host LLM to launch external review subagents ('Gemini via Bash', 'Codex via Bash') and pass them the 'plan content'. If the 'plan content' (which is derived from user input) contains shell metacharacters or malicious commands, it could lead to arbitrary command execution on the host system when executed via Bash without proper sanitization. Avoid direct execution of user-derived content via shell. If external tools must be invoked via Bash, ensure all user-controlled input is rigorously sanitized or passed as arguments in a way that prevents shell interpretation (e.g., using `subprocess.run` with `shell=False` and passing arguments as a list). Consider using a sandboxed environment for external tool execution. | Static | SKILL.md:120 | |
| HIGH | Data Exfiltration to External LLMs during Review The skill explicitly sends the 'plan content' to external LLM services ('Gemini', 'Codex') for review. If the initial user-provided specification or subsequent interview/research findings contain sensitive or proprietary information, this data will be transmitted to third-party services, potentially violating data privacy or security policies. Implement explicit user consent before sending data to external services. Provide options to redact or anonymize sensitive information from the 'plan content' before it is sent to external LLMs. Clearly document the data sharing implications for the user. | Static | SKILL.md:120 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Subagent Prompt Injection via Section Names In Step 14, the skill constructs subagent prompts by interpolating `{name}` from the `SECTION_MANIFEST`. The `SECTION_MANIFEST` is derived from `index.md`, which is generated by the LLM based on the initial user-provided spec. A malicious user could craft an initial spec that, through LLM generation, results in a section name containing prompt injection payloads (e.g., shell commands, instructions to ignore previous commands) that could manipulate the subagent's behavior or lead to command injection within the subagent's execution context. Implement strict validation and sanitization for all user-derived variables (like section names) before they are interpolated into subagent prompts. Ensure that section names conform to a safe character set and length. Consider passing structured data to subagents instead of relying on string interpolation for critical parameters. | LLM | SKILL.md:160 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/55795ec5b21769b7)
Powered by SkillShield