Security Audit
obsidian-clipper-template-creator
github.com/davila7/claude-code-templatesTrust Assessment
obsidian-clipper-template-creator received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Potential Server-Side Request Forgery (SSRF) via WebFetch.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Server-Side Request Forgery (SSRF) via WebFetch The skill instructs the LLM to 'Use `WebFetch` to retrieve the page HTML' based on a user-provided URL. If the `WebFetch` tool is not properly sandboxed or configured to prevent access to internal network resources, a malicious user could provide a URL pointing to internal IP addresses or cloud metadata endpoints. This could lead to information disclosure, interaction with internal services, or other SSRF-related attacks. Ensure the `WebFetch` tool is strictly configured to only access public internet resources and prevent requests to private IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1) and cloud metadata endpoints. Implement URL validation and sanitization before passing URLs to `WebFetch`. | LLM | SKILL.md:20 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Potential Data Exfiltration/Excessive Permissions via File Read The skill instructs the LLM to 'Read `Templates/Bases/*.base`'. While the path is somewhat constrained, the use of a wildcard (`*`) and the instruction to read local files could pose a risk. If the underlying file reading mechanism is vulnerable to path traversal (e.g., by an attacker crafting a base name like `../../../../etc/passwd.base`) or if the LLM's file access is not strictly sandboxed to the skill's intended data directory, it could lead to unauthorized reading of arbitrary files on the host system. Ensure the LLM's file reading capabilities are strictly sandboxed to the skill's designated data directories. Implement robust path sanitization and validation to prevent path traversal attacks. Consider using a more explicit file listing mechanism rather than a wildcard if possible, or ensure the file reading tool only accepts fully qualified, validated paths within the allowed scope. | LLM | SKILL.md:13 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/18fca9852e354b5b)
Powered by SkillShield