Trust Assessment
writing-skills received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 4 critical, 3 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 1/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/writing-skills/render-graphs.js:18 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/writing-skills/render-graphs.js:72 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/productivity/writing-skills/render-graphs.js:112 | |
| CRITICAL | Path Traversal leading to Arbitrary File Read/Write and Command Injection The `render-graphs.js` script takes a `skill-directory` as a command-line argument. This argument is used with `path.resolve()` and `path.join()` to construct file paths for reading `SKILL.md` and writing `.svg` and `.dot` files. An attacker can provide a path traversal sequence (e.g., `../../etc`) in `skill-directory` to read arbitrary files (e.g., `/etc/passwd`) or write files to arbitrary locations on the filesystem (e.g., `/tmp/malicious.svg`, `/etc/cron.d/malicious_job`). Writing to sensitive locations can lead to denial of service, privilege escalation, or arbitrary code execution. Sanitize or validate the `skillDirArg` input to ensure it refers to a directory strictly within the intended skill package. A common approach is to resolve the path and then check if it starts with a known, trusted base directory, or to use a library that safely handles path resolution within a confined directory. | Static | render-graphs.js:60 | |
| HIGH | Arbitrary File Read via Path Traversal Due to the path traversal vulnerability in handling `skillDirArg`, the script can be coerced into reading `SKILL.md` from an arbitrary location on the filesystem. If a sensitive file exists at the manipulated path (e.g., `/etc/passwd`, `/proc/self/environ`), its contents could be read by the script. While the script itself doesn't exfiltrate this data over a network, the agent executing this script might then process or expose this sensitive information. Implement strict validation for the `skillDirArg` to prevent path traversal. Ensure that the resolved path is always a subdirectory of the expected skill root directory. For example, after `path.resolve(skillDirArg)`, verify that the resulting path is a child of the base skills directory. | Static | render-graphs.js:70 | |
| HIGH | Arbitrary File Write via Path Traversal The script creates an `outputDir` and writes `.svg` and `.dot` files into it. Because `outputDir` is derived from the user-provided `skillDirArg` via `path.resolve()` and `path.join()`, an attacker can specify a path traversal sequence to write files to arbitrary locations on the filesystem. This could lead to denial of service (filling up critical directories), or potentially arbitrary code execution if files are written to locations like cron job directories or startup scripts. Sanitize or validate the `skillDirArg` to prevent path traversal. Ensure that all file write operations are strictly confined to the intended skill directory or a designated secure temporary directory. Consider using a sandboxing mechanism if available in the execution environment. | Static | render-graphs.js:80 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 5 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/1dfc7d8786b59d86)
Powered by SkillShield