Security Audit
planning-with-files
github.com/davila7/claude-code-templatesTrust Assessment
planning-with-files received a trust score of 40/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 3 high, 1 medium, and 1 low severity. Key findings include Dangerous tool allowed: Bash, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive 'Bash' permission allows arbitrary command execution The skill declares 'Bash' as an allowed tool. This permission grants the LLM the ability to execute arbitrary shell commands on the host system. An attacker could craft a prompt to the LLM to execute malicious commands, leading to data exfiltration, system compromise, or denial of service. This is the most critical permission as it bypasses many other security controls. Remove or restrict the 'Bash' permission. If shell execution is absolutely necessary, use a more constrained tool or ensure all inputs to shell commands are rigorously sanitized and validated. | LLM | Manifest:1 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | cli-tool/components/skills/productivity/planning-with-files/SKILL.md:1 | |
| HIGH | Command injection vulnerability in `scripts/check-complete.sh` via unsanitized argument The `scripts/check-complete.sh` script uses an unsanitized argument (`$1`) to define the `PLAN_FILE` variable, which is then used directly in `grep` commands. If the LLM is prompted to execute this script with a malicious argument (e.g., `scripts/check-complete.sh "; rm -rf /"`), it could lead to arbitrary command execution on the host system. Although the manifest's `Stop` hook calls this script without arguments (making it safe in that specific context), the declared 'Bash' permission allows the LLM to call it with arbitrary, untrusted arguments. Sanitize or validate all arguments passed to shell commands. For file paths, ensure they are valid and do not contain shell metacharacters. Consider using `printf %q` for quoting arguments if they must be passed to shell commands, or use a safer method for file access that doesn't involve direct shell interpolation of user input. | LLM | scripts/check-complete.sh:7 | |
| HIGH | Command injection vulnerability in `scripts/init-session.sh` via unsanitized argument The `scripts/init-session.sh` script uses an unsanitized argument (`$1`) to define the `PROJECT_NAME` variable. If the LLM is prompted to execute this script with a malicious argument (e.g., `scripts/init-session.sh "my_project; rm -rf /"`), it could lead to arbitrary command execution on the host system. The declared 'Bash' permission allows the LLM to call this script with arbitrary, untrusted arguments. Sanitize or validate all arguments passed to shell commands. For project names, ensure they are valid and do not contain shell metacharacters. Consider using `printf %q` for quoting arguments if they must be passed to shell commands. | LLM | scripts/init-session.sh:6 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/06fb3cc391cae028)
Powered by SkillShield