Trust Assessment
doc-coauthoring received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Broad Data Access via Unspecified Integrations and Direct File System Reads, Unrestricted File Creation in Agent's Working Directory, Ambiguous `str_replace` Tool Call with Potential for Arbitrary File Modification.
The analysis covered 4 layers: dependency_graph, static_code_analysis, manifest_analysis, llm_behavioral_safety. The llm_behavioral_safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad Data Access via Unspecified Integrations and Direct File System Reads The skill instructs the agent to use 'appropriate integrations' to fetch content from user-provided links, read user-provided files, and pull context from various messaging/document platforms (Slack, Teams, Google Drive, SharePoint). It also suggests searching 'connected tools.' The scope and permissions of these integrations and the direct file reading capability are undefined. A malicious user could provide links to sensitive internal documents, arbitrary file paths, or request data pulls from unauthorized sources, leading to data exfiltration or unauthorized access. 1. **Specify Integrations:** Clearly list which integrations are allowed and their exact capabilities. 2. **Strict Validation:** Implement robust validation for all user-provided links and file paths (e.g., allowlist domains, restrict file extensions/types, prevent path traversal). 3. **Least Privilege:** Ensure integrations operate with the minimum necessary permissions. 4. **Explicit Consent:** Require explicit, granular user consent before accessing any external data source or file. 5. **Sandboxing:** If reading local files, ensure operations are strictly sandboxed to a secure, temporary directory. | Unknown | SKILL.md:40 | |
| HIGH | Unrestricted File Creation in Agent's Working Directory The skill instructs the agent to create files, either as 'artifacts' using `create_file` or directly 'in the working directory' if artifacts are unavailable. If a malicious user can influence the filename (e.g., through prompt injection or by suggesting a filename like `../../.bashrc`), this could lead to path traversal, overwriting critical system files, or creating malicious executables in unexpected locations. Even without path traversal, creating an excessive number of large files could lead to a denial-of-service. 1. **Sandbox File Operations:** Restrict all file creation to a dedicated, isolated, and temporary directory that is cleared after use. 2. **Strict Filename Sanitization:** Implement rigorous sanitization and validation for any user-influenced filenames to prevent path traversal (e.g., disallow `..`, `/`, `\`, and other special characters). 3. **Resource Limits:** Implement limits on file size and total storage to prevent denial-of-service attacks. | Unknown | SKILL.md:139 | |
| MEDIUM | Ambiguous `str_replace` Tool Call with Potential for Arbitrary File Modification The skill instructs the agent to 'Use `str_replace` to replace the placeholder text' and 'Use `str_replace` to make edits.' The nature of `str_replace` is not defined. If `str_replace` is an external tool call that accepts a file path and a pattern/replacement string, a malicious user could potentially inject commands or modify arbitrary files on the system if the tool is not properly sandboxed and its inputs are not validated. If it's an internal, safe string manipulation on the document content, the risk is low. The current description leaves this ambiguity. 1. **Clarify `str_replace`:** Explicitly define `str_replace` as an internal, safe string manipulation function that operates only on the in-memory content of the document being co-authored. 2. **Avoid External Tools for String Ops:** If `str_replace` refers to an external tool, replace it with a secure, internal string processing method or ensure the tool is heavily sandboxed and its inputs are strictly validated to prevent arbitrary file access or command injection. | Unknown | SKILL.md:190 |
Scan History
Embed Code
[](https://skillshield.io/report/a12ffb04b48e2f25)
Powered by SkillShield