Trust Assessment
stitch-loop received a trust score of 34/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Dangerous tool allowed: Bash, Path Traversal via Unsanitized Page Name in File Operations, Prompt Injection into Stitch Generation Tool.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The static_code_analysis layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit 51d6d5ab). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Path Traversal via Unsanitized Page Name in File Operations The skill instructs the agent to extract a 'page' name from `next-prompt.md` and use it directly in file paths (e.g., `queue/{page}.html`, `site/public/{page}.html`). Given that the skill declares `Bash` permissions and describes file movement operations (e.g., 'Move generated HTML from `queue/{page}.html` to `site/public/{page}.html`'), an attacker could craft `next-prompt.md` with a malicious page name like `../../etc/passwd` to achieve path traversal. This could lead to reading, writing, or overwriting arbitrary files on the host system via `Bash` commands. Implement robust sanitization for the `page` name extracted from `next-prompt.md` to ensure it only contains valid filename characters and does not include path separators (e.g., `/`, `\`, `..`). All file system operations involving user-controlled paths must use a secure file system API that prevents path traversal, rather than directly concatenating strings into shell commands. | Unknown | SKILL.md:78 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Unknown | /tmp/skillscan-clone-mbyw4eqg/repo/skills/stitch-loop/SKILL.md:1 | |
| HIGH | Prompt Injection into Stitch Generation Tool The skill instructs the agent to take 'Prompt content from the markdown body' of `next-prompt.md` and pass it directly as the `prompt` argument to the `[prefix]:generate_screen_from_text` tool. If an attacker can control the content of `next-prompt.md` (e.g., by modifying the file directly or through a previous agent iteration), they can inject malicious instructions into the `prompt` to manipulate the behavior of the `stitch` generation tool, potentially leading to unintended outputs or actions. Implement strict input validation and sanitization for the prompt content extracted from `next-prompt.md` before passing it to the `generate_screen_from_text` tool. Consider using a 'defensive prompt' strategy or a separate LLM to filter or rephrase user-provided prompts to mitigate injection risks. | Unknown | SKILL.md:56 | |
| MEDIUM | Excessive Wildcard Permissions for Stitch and Chrome Tools The skill declares `stitch*:*` and `chrome*:*` permissions. While scoped to specific tool namespaces, the `*` wildcard grants access to all sub-tools and actions within those namespaces. This provides broader access than strictly necessary, potentially allowing the agent to invoke sensitive or unintended functions within the `stitch` or `chrome` tool ecosystems if they exist, beyond what is explicitly described in the skill. Refine the `allowed-tools` list to specify only the exact `stitch` and `chrome` sub-tools and actions required for the skill's functionality (e.g., `stitch:create_project`, `stitch:generate_screen_from_text`, `chrome:navigate`, `chrome:screenshot`). Avoid using `*` wildcards unless absolutely all sub-tools are genuinely required and their security implications are fully understood. | Unknown | Manifest:2 |
Scan History
Embed Code
[](https://skillshield.io/report/cdb76fe69b80d099)
Powered by SkillShield