Trust Assessment
peer-review received a trust score of 45/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 1 medium, and 1 low severity. Key findings include Dangerous tool allowed: Bash, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | cli-tool/components/skills/scientific/peer-review/SKILL.md:1 | |
| HIGH | Potential Command Injection via user-controlled argument in Bash execution The skill instructs the agent to execute a `bash` command that calls a Python script (`scripts/generate_schematic.py`). A placeholder for user input, '"your diagram description"', is passed directly as an argument. If the actual user input is not properly sanitized or escaped by the `generate_schematic.py` script before being used in a shell context (e.g., via `subprocess.run(..., shell=True)`), an attacker could inject arbitrary shell commands. Ensure the `generate_schematic.py` script rigorously sanitizes or escapes all user-provided arguments before using them in any shell command. The safest approach is to use `subprocess.run` with `shell=False` and pass arguments as a list, which prevents shell interpretation of the arguments. | Static | SKILL.md:38 | |
| HIGH | Potential Command Injection via user-controlled filename in Bash execution The skill instructs the agent to execute a `bash` command that calls a Python script (`skills/scientific-slides/scripts/pdf_to_images.py`). A user-provided filename, 'presentation.pdf', is passed directly as an argument. If this filename is not properly sanitized or escaped by the `pdf_to_images.py` script before being used in a shell context, an attacker could inject arbitrary shell commands by crafting a malicious filename (e.g., `'; rm -rf /'`). Ensure the `pdf_to_images.py` script rigorously sanitizes or escapes all user-provided filenames before using them in any shell command. The safest approach is to use `subprocess.run` with `shell=False` and pass arguments as a list, which prevents shell interpretation of the arguments. | Static | SKILL.md:309 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/955fd0ac66d12ef2)
Powered by SkillShield