Trust Assessment
imagegen received a trust score of 23/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 2 high, 2 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Credential harvesting, Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | cli-tool/components/skills/creative-design/imagegen/scripts/image_gen.py:47 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | cli-tool/components/skills/creative-design/imagegen/scripts/image_gen.py:47 | |
| HIGH | Arbitrary File System Access via CLI Arguments The `scripts/image_gen.py` script accepts file paths as arguments for input prompts (`--prompt-file`), input images, and output files/directories (`--out`, `--out-dir`). The script does not validate or restrict these paths to a safe, confined directory (e.g., `tmp/imagegen/`, `output/imagegen/`). If the LLM is compromised or tricked into providing malicious file paths, it could lead to:
- **Data Exfiltration**: Reading arbitrary sensitive files from the system (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`) via `--prompt-file` or image input paths.
- **Arbitrary File Write**: Writing to arbitrary locations on the file system (e.g., `/etc/cron.d/malicious_job`, `/root/.bashrc`) via `--out` or `--out-dir`.
This vulnerability allows an attacker to interact with the file system beyond the intended scope of the skill. Implement strict path validation within `scripts/image_gen.py` for all file-related arguments. Ensure that all input and output file paths are confined to designated, safe subdirectories (e.g., `tmp/imagegen/`, `output/imagegen/`) or explicitly whitelisted locations. Reject any paths that attempt to traverse outside these allowed directories (e.g., paths containing `..` or absolute paths outside the sandbox). | Static | scripts/image_gen.py:50 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned Python Dependencies The skill's installation instructions recommend installing Python packages (`openai`, `pillow`) without specifying exact version numbers. This practice can lead to supply chain risks, as a malicious update to a dependency could be automatically pulled in, potentially introducing vulnerabilities or breaking changes. Pin all Python dependencies to specific, known-good versions (e.g., `openai==1.x.x`, `pillow==9.x.x`). Regularly review and update these pinned versions. | Static | SKILL.md:89 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/f61110a852d371bf)
Powered by SkillShield