Trust Assessment
lorem-ipsum received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary File Write via --output argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Write via --output argument The `scripts/generate.py` script accepts an `--output` argument which allows specifying an arbitrary file path to write the generated lorem ipsum content. The skill documentation (`SKILL.md`) and the script's docstring confirm this functionality. There is no indication of path sanitization or restriction on the target directory within the provided context. An attacker could provide a malicious file path (e.g., `/etc/passwd`, `/var/www/html/index.html`, or paths involving directory traversal like `../../sensitive.txt`) to overwrite arbitrary files on the system with lorem ipsum content. This could lead to denial of service (by corrupting system files), data loss, or defacement, and potentially indirect remote code execution if a critical script is overwritten. Implement strict validation and sanitization for the `--output` file path. This should include: 1. **Path Sanitization**: Prevent directory traversal attacks (e.g., by resolving to an absolute path and checking for `..`). 2. **Directory Restriction**: Restrict output files to a specific, non-sensitive directory (e.g., a temporary directory or a user-specific output folder). 3. **User Confirmation**: For critical operations like overwriting existing files, prompt the user for explicit confirmation. 4. **Whitelist**: If feasible, restrict output to a whitelist of allowed directories or file extensions. | Static | scripts/generate.py |
Scan History
Embed Code
[](https://skillshield.io/report/c189fff0f696bbb4)
Powered by SkillShield