Security Audit

react:components

github.com/google-labs-code/stitch-skills

AI SkillCommit 51d6d5ab56b9

CRITICAL

Scanned 2 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

react:components received a trust score of 11/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 1 critical, 3 high, 2 medium, and 0 low severity. Key findings include Dangerous tool allowed: Bash, Unpinned npm dependency version, Potential Command Injection via Bash Script Argument.

The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. The static_code_analysis layer scored lowest at 18/100, indicating areas for improvement.

Last analyzed on February 18, 2026 (commit 51d6d5ab). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

18%

Dependency Graph

93%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

3 findings

Shell Execution

4 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Excessive Permissions Declared The skill declares overly broad permissions, specifically `Bash`, `Read`, and `Write`. The `Bash` tool allows arbitrary command execution, which is a significant security risk. `Read` and `Write` permissions grant broad filesystem access. This combination, especially when coupled with user-controlled inputs, greatly increases the attack surface and potential for severe compromise, including data exfiltration, system modification, and command injection. Review and restrict the `allowed-tools` to the absolute minimum necessary for the skill's functionality. If `Bash` is truly required, ensure all inputs to bash commands are rigorously sanitized and validated. Consider replacing direct `Bash` calls with more constrained, purpose-built tools or APIs where possible. Limit `Read` and `Write` permissions to specific directories or file types if feasible.	Unknown	Manifest:1
HIGH	Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints.	Unknown	/tmp/skillscan-clone-ax_9q9jj/repo/skills/react-components/SKILL.md:1
HIGH	Potential Command Injection via Bash Script Argument The skill instructs the LLM to execute a bash script (`scripts/fetch-stitch.sh`) using the `Bash` tool, passing `[htmlCode.downloadUrl]` as an argument. Although the skill mentions quoting the URL, if the LLM fails to properly sanitize or quote the `htmlCode.downloadUrl` input, or if the URL itself contains sophisticated shell metacharacters that can escape the quoting, it could lead to arbitrary command execution on the host system. The `fetch-stitch.sh` script directly uses `$1` (the URL) within a `curl` command. Implement robust input validation and sanitization for `htmlCode.downloadUrl` before passing it to the bash script. Consider using a safer method for downloading, such as a dedicated `web_fetch` tool with URL validation, rather than direct shell execution with user-controlled arguments. If `Bash` must be used, ensure the LLM's quoting mechanism is thoroughly tested against various injection payloads.	Unknown	SKILL.md:15
HIGH	Arbitrary File Read (Path Traversal) in Validation Script The `scripts/validate.js` script reads a file path directly from `process.argv[2]` (a command-line argument) using `fs.readFileSync`. If the `<file_path>` argument provided by the LLM (which could originate from untrusted user input) is not properly sanitized, an attacker could supply a path traversal sequence (e.g., `../../../../etc/passwd`) to read arbitrary files on the system. This is a direct path traversal vulnerability. Before calling `fs.readFileSync`, sanitize and validate the `filePath` argument to ensure it is within expected directories and does not contain path traversal sequences. For example, resolve the path to its canonical form and verify it starts with an allowed base directory, or use a library that safely handles file paths.	Unknown	scripts/validate.js:50
MEDIUM	Unpinned npm dependency version Dependency '@swc/core' is not pinned to an exact version ('^1.3.100'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Unknown	/tmp/skillscan-clone-ax_9q9jj/repo/skills/react-components/package.json
MEDIUM	Unpinned Dependency in package.json The `package.json` file specifies `@swc/core` with a caret (`^`) version range (`^1.3.100`). This allows for automatic updates to minor and patch versions, which introduces a supply chain risk. A malicious update to the `@swc/core` package or any of its transitive dependencies could introduce vulnerabilities or backdoors without explicit review, even if the major version remains the same. Pin dependencies to exact versions (e.g., `"@swc/core": "1.15.8"`) to ensure deterministic builds and prevent unexpected or malicious updates. Regularly audit and manually update dependencies after reviewing their changelogs and security advisories. Alternatively, use a dependency locking mechanism (like `package-lock.json` or `yarn.lock`) and ensure it is always respected during installation.	Unknown	package.json:9

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/cdd198638c026486.svg)](https://skillshield.io/report/cdd198638c026486)