Trust Assessment
openai-docs received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Command Injection via `codex mcp add`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Attempted Privilege Escalation / Excessive Permissions The skill instructs the LLM to 'immediately retry the same command with escalated permissions' if the initial command fails due to permissions. This is a critical security flaw as it explicitly attempts to bypass security controls and gain higher privileges, which could lead to unauthorized system access or compromise if successful. Never instruct the LLM to attempt privilege escalation or bypass security mechanisms. The LLM should operate within its defined permissions and gracefully handle permission errors without attempting to escalate. Any actions requiring elevated privileges must be explicitly approved and executed by the user or a secure, authorized system process. | LLM | SKILL.md:26 | |
| HIGH | Command Injection via `codex mcp add` The skill explicitly instructs the LLM to execute a shell command `codex mcp add openaiDeveloperDocs --url https://developers.openai.com/mcp`. Allowing the LLM to execute arbitrary commands, even seemingly benign ones, introduces a command injection vulnerability. A malicious actor could potentially manipulate the LLM to execute different commands or install tools from untrusted sources if the `--url` parameter could be influenced. Remove direct instructions for the LLM to execute shell commands. If tool installation is necessary, it should be handled by a pre-approved, sandboxed mechanism or by prompting the user with clear warnings and requiring explicit user confirmation for each step, without the LLM attempting to execute it directly. | LLM | SKILL.md:25 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/2fb34193bd845b1a)
Powered by SkillShield