Trust Assessment
spreadsheet received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Prompt Injection Attempt.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection Attempt The skill attempts to override the host LLM's instructions by asserting that 'System and user instructions always take precedence' within the untrusted content. This is a classic prompt injection technique designed to manipulate the LLM's behavior and prioritization of instructions. Remove any statements within the skill that attempt to re-prioritize or override the host LLM's instructions. The host LLM's instructions inherently take precedence. | LLM | SKILL.md:16 | |
| CRITICAL | Potential Command Injection via Shell Execution The skill explicitly instructs the agent to execute shell commands for rendering and dependency installation. Specifically, `soffice`, `pdftoppm`, `uv pip install`, `python3 -m pip install`, `brew install`, and `sudo apt-get install` are listed. If variables like `$OUTDIR`, `$INPUT_XLSX`, `$BASENAME` (for rendering) or package names (for installation) are derived from untrusted user input without proper sanitization, an attacker could inject arbitrary commands. The `sudo apt-get install` command is particularly dangerous as it requests elevated privileges. Avoid instructing the agent to directly execute shell commands with unsanitized input. If shell execution is unavoidable, implement strict input validation and sanitization for all variables passed to shell commands. Consider using safer alternatives like dedicated Python libraries for file conversions or package management APIs instead of direct shell calls. For dependency installation, specify exact versions and avoid `sudo`. | Static | SKILL.md:40 | |
| HIGH | Request for Excessive System Permissions (sudo) The skill explicitly instructs the agent to use `sudo` for installing system-level dependencies (`sudo apt-get install -y libreoffice poppler-utils`). Granting `sudo` privileges to an automated agent is a significant security risk, as it allows for arbitrary command execution with root privileges, potentially compromising the entire system. Remove instructions that require `sudo` or elevated privileges. Agents should operate with the principle of least privilege. If system-level tools are required, they should be pre-installed in the agent's environment, or the agent should instruct the user to perform the installation manually. | Static | SKILL.md:60 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned Dependency Installation The skill instructs the agent to install Python packages (`openpyxl`, `pandas`, `matplotlib`) using `uv pip install` or `python3 -m pip install` without specifying exact version numbers. This practice can lead to supply chain risks, as it may install outdated versions with known vulnerabilities or, in the worst case, a malicious package if a dependency is compromised or typosquatted. Always specify exact version numbers for all dependencies (e.g., `openpyxl==3.0.10`). Use a `requirements.txt` or `pyproject.toml` with pinned versions. Instruct the agent to install from a trusted source and verify package integrity if possible. | Static | SKILL.md:49 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/ff8830ce39ee4a4c)
Powered by SkillShield