Security Audit
hypothesis-generation
github.com/davila7/claude-code-templatesTrust Assessment
hypothesis-generation received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 2 critical, 3 high, 1 medium, and 1 low severity. Key findings include Dangerous tool allowed: Bash, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unsanitized script argument The skill explicitly instructs the agent to execute a bash command `python scripts/generate_schematic.py "your diagram description" -o figures/output.png`. The argument `"your diagram description"` is intended to be natural language, likely derived from user input or LLM generation based on user input. If this description is not properly sanitized to escape shell metacharacters before being passed to the shell, an attacker could inject arbitrary shell commands (e.g., `"; rm -rf /"`) leading to arbitrary code execution. Implement robust input sanitization for the `"your diagram description"` argument before passing it to the shell command. Ensure all shell metacharacters are properly escaped or, preferably, use a safer method like passing the description via a temporary file or environment variable if the script supports it, or using a Python `subprocess` call with `shell=False` and passing arguments as a list. | Static | SKILL.md:40 | |
| CRITICAL | Command Injection via LaTeX compilation of untrusted content The skill instructs the agent to generate a LaTeX document (`hypothesis_report.tex`) and then compile it using `xelatex` and `bibtex`. The content of this LaTeX document (hypotheses, predictions, etc.) is generated by the LLM, potentially incorporating user-provided text. LaTeX's `\write18` command allows arbitrary shell command execution during compilation. If an attacker can inject `\write18{malicious command}` into the LaTeX content generated by the LLM, it would lead to arbitrary command execution on the host system during the compilation step. When generating LaTeX documents from potentially untrusted input, ensure that the generated content is thoroughly sanitized to prevent the injection of malicious LaTeX commands, especially `\write18`. Consider disabling `\write18` functionality during compilation if possible, or compile in a highly restricted environment. Validate and escape all user-controlled text before embedding it into the LaTeX template. | Static | SKILL.md:204 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | cli-tool/components/skills/scientific/hypothesis-generation/SKILL.md:1 | |
| HIGH | Excessive 'Bash' permission with identified command injection vectors The skill declares and utilizes the 'Bash' permission. While 'Bash' is necessary for the skill's functionality (e.g., running Python scripts and LaTeX compilation), the presence of two distinct command injection vulnerabilities (via `generate_schematic.py` arguments and LaTeX `\write18` during compilation) makes this permission excessively risky. An exploit of these vulnerabilities would grant an attacker arbitrary command execution capabilities due to the broad 'Bash' permission. Mitigate the identified command injection vulnerabilities first. Once those are addressed, the 'Bash' permission may be acceptable. If the vulnerabilities cannot be fully mitigated, consider if the skill's functionality can be achieved with more restricted execution environments or by limiting the scope of commands that can be run via Bash. | Static | SKILL.md:1 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 2 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/b9de5c1b692dbd84)
Powered by SkillShield