Trust Assessment
api-designer received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 4 high, 0 medium, and 0 low severity. Key findings include Skill instructs LLM to execute shell commands, Skill instructs LLM to load files, potentially leading to path traversal.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit e8be415b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill instructs LLM to execute shell commands The skill's workflow and output checklist explicitly mention shell commands (`npx @redocly/cli lint openapi.yaml` and `npx @stoplight/prism-cli mock openapi.yaml`). If the LLM's execution environment allows it to interpret these as direct commands to be run in a shell, this could lead to command injection. An attacker could potentially manipulate the `openapi.yaml` content (if it's user-controlled) to inject malicious commands, or exploit the LLM's ability to execute arbitrary commands if its internal state or environment is compromised. Rephrase instructions to describe the *outcome* or *purpose* of the command rather than providing the literal command. For example, 'Validate the OpenAPI 3.1 specification using a linter.' If the LLM is expected to *use* a tool for this, the tool should be explicitly defined and invoked through a safe API, not by embedding shell commands in markdown. | LLM | SKILL.md:10 | |
| HIGH | Skill instructs LLM to execute shell commands The skill's workflow and output checklist explicitly mention shell commands (`npx @redocly/cli lint openapi.yaml` and `npx @stoplight/prism-cli mock openapi.yaml`). If the LLM's execution environment allows it to interpret these as direct commands to be run in a shell, this could lead to command injection. An attacker could potentially manipulate the `openapi.yaml` content (if it's user-controlled) to inject malicious commands, or exploit the LLM's ability to execute arbitrary commands if its internal state or environment is compromised. Rephrase instructions to describe the *outcome* or *purpose* of the command rather than providing the literal command. For example, 'Spin up a mock server to test contracts.' If the LLM is expected to *use* a tool for this, the tool should be explicitly defined and invoked through a safe API, not by embedding shell commands in markdown. | LLM | SKILL.md:11 | |
| HIGH | Skill instructs LLM to execute shell commands The skill's workflow and output checklist explicitly mention shell commands (`npx @redocly/cli lint openapi.yaml` and `npx @stoplight/prism-cli mock openapi.yaml`). If the LLM's execution environment allows it to interpret these as direct commands to be run in a shell, this could lead to command injection. An attacker could potentially manipulate the `openapi.yaml` content (if it's user-controlled) to inject malicious commands, or exploit the LLM's ability to execute arbitrary commands if its internal state or environment is compromised. Rephrase instructions to describe the *outcome* or *purpose* of the command rather than providing the literal command. For example, 'Ensure the OpenAPI 3.1 specification passes validation with no errors.' If the LLM is expected to *use* a tool for this, the tool should be explicitly defined and invoked through a safe API, not by embedding shell commands in markdown. | LLM | SKILL.md:100 | |
| HIGH | Skill instructs LLM to load files, potentially leading to path traversal The 'Reference Guide' section lists several markdown files (`references/rest-patterns.md`, etc.) that the LLM is instructed to 'Load detailed guidance based on context'. If the LLM's underlying file loading mechanism is not properly sandboxed or validated, an attacker could potentially inject path traversal sequences (e.g., `../`, `../../`) or absolute paths into the context (if the context can be manipulated) to cause the LLM to load and potentially exfiltrate arbitrary files from the system (e.g., `/etc/passwd`, environment variables, other skill files). Ensure that any file loading mechanism used by the LLM is strictly sandboxed to the skill's intended directory and validates file paths to prevent path traversal. Implement an allowlist for file paths that can be loaded. The LLM should not be able to construct arbitrary file paths from user input or its own reasoning. | LLM | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/c7e06b87e1e73480)
Powered by SkillShield