Trust Assessment
invoice-organizer received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Potential Command Injection via Shell Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Shell Execution The skill explicitly instructs the LLM to execute shell commands such as `find`, `mkdir`, `cp`, and `mv`. While the examples provided in the skill's instructions use hardcoded or internally derived arguments, the presence of direct shell command execution creates a vulnerability. If arguments to these commands are constructed from untrusted user input without robust sanitization, an attacker could inject arbitrary commands, leading to remote code execution or system compromise. Implement strict input sanitization and validation for any arguments passed to shell commands. Consider using safer, language-native file system operations instead of direct shell commands where possible. If shell commands are essential, ensure they are executed with minimal privileges and within a sandboxed environment, and use parameterized execution or escape all user-controlled input carefully. | Static | SKILL.md:100 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Excessive Filesystem Permissions via Shell Commands The skill's instructions involve shell commands (`find .`, `mkdir -p`, `cp`, `mv`) that grant broad filesystem access within the execution environment. `find .` can list all files and directories from the current working directory downwards, potentially exposing sensitive file paths or names. `mkdir -p`, `cp`, and `mv` allow the creation, copying, and moving of files and directories anywhere the process has write permissions. While this level of access is necessary for the skill's stated purpose of organizing files, it is inherently powerful and could be misused if the skill's logic is compromised or if it's invoked in a sensitive directory by the user, leading to unintended data modification or exposure. Restrict the skill's execution environment to the minimum necessary filesystem scope. Implement explicit user confirmation for file operations, especially moves or deletions. Advise users to run the skill only in designated, non-sensitive directories. Explore sandboxing mechanisms or capabilities-based security models to limit the impact of potential misuse. | Static | SKILL.md:100 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/9798f55a11398762)
Powered by SkillShield