Trust Assessment
writing-plans received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Skill attempts to dictate LLM's introductory statement.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill attempts to dictate LLM's introductory statement The untrusted skill definition contains a direct instruction for the host LLM to announce a specific phrase at the start of its interaction: 'Announce at start: "I'm using the writing-plans skill to create the implementation plan."'. This is a prompt injection attempt as it tries to control the LLM's conversational output, bypassing its natural response generation. Remove direct instructions for the LLM's conversational output from the skill definition. The LLM should decide its own phrasing based on its core instructions and context, not be dictated by the skill. | LLM | SKILL.md:10 | |
| CRITICAL | Skill attempts to force specific sub-skill execution The untrusted skill definition includes multiple 'REQUIRED SUB-SKILL' directives, explicitly instructing the host LLM to use 'superpowers:executing-plans' and 'superpowers:subagent-driven-development'. This is a prompt injection attempt as it tries to dictate the LLM's tool/skill usage, bypassing its own reasoning for tool selection and potentially forcing the use of unintended or insecure tools. Remove 'REQUIRED SUB-SKILL' directives from the skill definition. The LLM should determine appropriate tool usage based on its task and available tools, not be forced by the skill itself. If a skill inherently requires another, this should be handled by the system's skill dependency management, not by direct LLM instruction. | LLM | SKILL.md:30 | |
| HIGH | Skill defines templates for shell command generation The untrusted skill definition provides explicit templates for generating shell commands (`pytest`, `git add`, `git commit`) within the implementation plan. It also instructs the LLM to include 'Exact commands with expected output'. While this skill itself generates a *plan*, it explicitly dictates the structure and content of commands that are intended for execution by downstream skills (e.g., 'executing-plans'). If the LLM is compromised or the downstream execution environment is not sandboxed, these templates could be used to construct and execute arbitrary commands, leading to command injection. Implement strict sanitization and validation of any user-provided input that influences the generated commands. Ensure that the execution environment for these commands (e.g., 'executing-plans' skill) is heavily sandboxed and uses allow-lists for commands and arguments, rather than directly executing arbitrary strings. Consider making command generation more abstract, allowing the execution skill to determine the exact command based on context. | LLM | SKILL.md:54 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Skill instructs LLM to write files to filesystem The untrusted skill definition instructs the LLM to save generated plans to `docs/plans/YYYY-MM-DD-<feature-name>.md`. It also defines plan elements that involve `Create: exact/path/to/file.py` and `Modify: exact/path/to/existing.py`. This indicates an intention for the LLM to perform file system write operations. While the specified path `docs/plans` is relatively benign, the ability to create/modify files at arbitrary `exact/path/to/file.py` locations, if influenced by user input, could lead to writing to sensitive system files, overwriting critical data, or exfiltrating data by writing it to publicly accessible locations. Restrict the LLM's file system write access to a tightly controlled, sandboxed directory. Implement strict validation and sanitization for any file paths generated based on user input to prevent directory traversal or writing to unintended locations. Ensure that the execution environment for file operations (e.g., 'executing-plans' skill) enforces these restrictions. | LLM | SKILL.md:13 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/1e244632498406ab)
Powered by SkillShield