Trust Assessment
gallery-scraper received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Insecure iframe src assignment leading to Cross-Site Scripting (XSS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on July 1, 2026 (commit a4d31ad1). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Insecure iframe src assignment leading to Cross-Site Scripting (XSS) The 'iframe trick' workflow in SKILL.md dynamically creates an iframe and assigns extracted URLs directly to iframe.src without validation. If a malicious gallery page contains a javascript: link (e.g., matching the .gallery-link selector), the agent may extract it and load it into the iframe, executing arbitrary JavaScript in the context of the authenticated gallery site. This can lead to session hijacking or unauthorized actions. Validate that the URL protocol is strictly 'http:' or 'https:' before assigning it to iframe.src. For example, check if (!url.startsWith('http://') && !url.startsWith('https://')) continue; before creating or loading the iframe. | LLM | SKILL.md:101 |
Scan History
Embed Code
[](https://skillshield.io/report/366909883e2c19e1)
Powered by SkillShield