Trust Assessment
skill-creator received a trust score of 53/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Path Traversal in Skill Initialization.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal in Skill Initialization The `init_skill.py` script uses the `skill-name` argument directly to construct directory paths and filenames without proper sanitization. An attacker could provide a `skill-name` containing path traversal sequences (e.g., `../`, `/`) to create files or directories outside the intended `output-directory`. This could lead to arbitrary file creation or overwriting in sensitive locations. Sanitize the `skill_name` argument to remove or disallow path traversal characters (e.g., `/`, `\`, `..`) before using it to construct file paths. The `quick_validate.py` script already has a regex for skill names (`^[a-z0-9-]+$`) which should be applied here. | Static | scripts/init_skill.py:20 | |
| HIGH | Path Traversal and Data Exfiltration in Skill Packaging The `package_skill.py` script takes a `skill_path` argument from `sys.argv` and resolves it using `Path(skill_path).resolve()`. If an attacker provides a malicious `skill_path` (e.g., `../../../../etc`), the script will attempt to process files from an arbitrary system directory. If a `SKILL.md` file (or a crafted one) is found in that arbitrary location, the script will then zip all files within that directory, leading to potential data exfiltration of sensitive system files. Before resolving or using `skill_path`, validate that it points to a legitimate skill directory within an expected base path, or at least sanitize it to prevent path traversal. Ensure that the `skill_path` does not escape a designated safe working directory. Additionally, the `validate_skill` function should be called earlier to prevent processing of arbitrary directories. | Static | scripts/package_skill.py:20 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Path Traversal and Information Leak in Skill Validation The `quick_validate.py` script takes a `skill_path` argument from `sys.argv` and uses it to construct a path to `SKILL.md` without sanitization. An attacker could provide a `skill_path` like `../../../../etc/passwd` or `../../../../var/log/syslog`. The script would then attempt to read the content of this arbitrary file using `skill_md.read_text()`. Although it would likely fail subsequent YAML parsing, the act of reading an arbitrary file and potentially leaking its existence or partial content through error messages constitutes an information leak. Sanitize the `skill_path` argument to prevent path traversal before constructing `skill_md`. Ensure that `skill_path` is confined to an expected skill repository or a designated safe directory. Alternatively, implement stricter checks to ensure `skill_path` is a subdirectory of a known safe root. | Static | scripts/quick_validate.py:15 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/5a69f81d9405a0d1)
Powered by SkillShield