Security Audit

filesystem-context

github.com/guanyang/antigravity-skills

AI SkillCommit 3e75fabdb24c

CAUTION

Scanned 6 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

filesystem-context received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via `grep` tool, Excessive Filesystem Permissions via `read_file` and `write_file`.

The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, static_code_analysis, manifest_analysis. The llm_behavioral_safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Command Injection via `grep` tool The `grep` method in the `FilesystemTools` class uses `subprocess.run` to execute the `grep` command directly. The `pattern` and `file_path` arguments are passed to the shell command without proper sanitization or escaping. An attacker could inject arbitrary shell commands by crafting malicious input for `pattern` or `file_path`, leading to remote code execution or data exfiltration. Sanitize or escape `pattern` and `file_path` before passing them to `subprocess.run`. A safer approach for `grep` would be to read the file content into Python and use Python's regex capabilities, or use `shlex.quote` for arguments if `subprocess.run` is absolutely necessary. Ensure `shell=False` is used (which is the default for list arguments, but still important to consider for string arguments).	Unknown	scripts/filesystem_context.py:307
HIGH	Excessive Filesystem Permissions via `read_file` and `write_file` The `read_file` and `write_file` methods in the `FilesystemTools` class allow an agent to read from and write to arbitrary file paths on the system. There are no path validation, sandboxing, or access control mechanisms implemented. This grants the agent excessive permissions, enabling it to access sensitive system files (e.g., `/etc/passwd`, SSH keys), modify critical system configurations, or write malicious executables, leading to data exfiltration, privilege escalation, or system compromise. Implement strict path validation and sandboxing for all filesystem operations. Restrict file access to a designated, isolated directory (e.g., a `workspace` directory) and prevent access to parent directories or absolute paths outside this sandbox. Use `Path.resolve()` with `Path.is_relative_to()` to ensure paths stay within the allowed scope.	Unknown	scripts/filesystem_context.py:290

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9743de26e19ed687.svg)](https://skillshield.io/report/9743de26e19ed687)