Trust Assessment
writing-skills received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 3 critical, 2 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 1/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/development/writing-skills/render-graphs.js:18 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/development/writing-skills/render-graphs.js:72 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/development/writing-skills/render-graphs.js:112 | |
| HIGH | Command Injection via Graphviz dot input The `render-graphs.js` script uses `execSync('dot -Tsvg', { input: dotContent, ... })` where `dotContent` is extracted directly from the `SKILL.md` file. If a malicious `dot` graph is embedded in `SKILL.md`, it could contain `command` attributes or other features that allow arbitrary command execution when processed by the `dot` utility. This poses a significant command injection vulnerability. Sanitize `dotContent` to remove any potentially malicious attributes (e.g., `command`, `URL` that could lead to local file access or script execution) before passing it to `dot`. Alternatively, run the `dot` command in a highly restricted sandbox environment (e.g., a container with minimal permissions and no network access) or use a library that parses and renders `dot` graphs without invoking the external `dot` executable. | Static | render-graphs.js:95 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 3 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Path Traversal in output directory creation The `render-graphs.js` script constructs the output directory path (`skillDir/diagrams`) using `path.join(skillDir, 'diagrams')`, where `skillDir` is derived from `process.argv`. While `path.resolve` is used, if `skillDirArg` contains path traversal sequences (e.g., `../../`) that resolve to a directory outside the intended skill's root, an attacker could potentially cause the script to write SVG or DOT files to arbitrary locations on the filesystem. Implement robust validation for `skillDirArg` to ensure it does not contain path traversal sequences. After resolving `skillDir`, verify that it is a subdirectory of an expected, safe base path (e.g., a dedicated skills directory) before proceeding to create or write files within it. | Static | render-graphs.js:80 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/8da53b60ae62563c)
Powered by SkillShield