Trust Assessment
lint-and-validate received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/development/lint-and-validate/scripts/lint_runner.py:80 | |
| CRITICAL | Command Injection via untrusted npm scripts The `lint_runner.py` script is designed to execute `npm run lint` within a user-provided `project_path`. If the `project_path` contains a malicious `package.json` file with a `lint` script that performs harmful actions (e.g., `rm -rf /`), the skill will execute this command due to its declared `Bash` permissions. This allows for arbitrary command injection by providing a specially crafted `package.json` file. Avoid executing user-defined scripts directly. Instead of `npm run lint`, consider executing specific linter binaries (e.g., `npx eslint .`) with explicit configuration files, or parse `package.json` to extract linter configurations and run them in a controlled, sandboxed manner. If user-defined scripts are absolutely necessary, implement strict sandboxing to prevent filesystem access or network calls outside the project directory. Re-evaluate if `Bash` permission is strictly necessary for the skill, or if more granular permissions could be used. | Static | scripts/lint_runner.py:70 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_linter'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/development/lint-and-validate/scripts/lint_runner.py:80 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 3 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/04b5903a869c02bf)
Powered by SkillShield