Trust Assessment
code-documenter received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Prompt/Command Injection via Explicit Shell Commands in Workflow, Supply Chain Risk: Unpinned External Tool Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit e8be415b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt/Command Injection via Explicit Shell Commands in Workflow The skill's 'Core Workflow' section explicitly lists shell commands (`python -m doctest`, `pytest`, `tsc`, `npx @redocly/cli`) as steps the skill should perform. If the host LLM has access to a shell execution tool and interprets these instructions from the untrusted skill description as direct commands to execute, it constitutes a critical prompt injection vulnerability. The `npx` command is particularly dangerous as it can download and execute arbitrary packages from npm, leading to potential remote code execution. Rephrase the 'Validate' steps to describe the *desired outcome* or *tool requirements* rather than providing direct shell commands. If the LLM is intended to use specific tools, these tools should be explicitly defined in the skill's tool definitions (e.g., via a `tools.json` or similar mechanism) and invoked through a controlled API, not by parsing shell commands from a markdown description. Avoid embedding executable commands directly in untrusted descriptive text. | LLM | SKILL.md:30 | |
| MEDIUM | Supply Chain Risk: Unpinned External Tool Execution The 'Core Workflow' instructs the use of `npx @redocly/cli lint openapi.yaml` without specifying a version. This introduces a supply chain risk, as `npx` will fetch the latest version of `@redocly/cli`. A malicious update to this package could be automatically downloaded and executed, compromising the environment where the skill operates. If external tools must be used, specify a pinned version (e.g., `npx @redocly/cli@1.2.3 lint openapi.yaml`) to ensure deterministic and secure execution. Alternatively, ensure the execution environment has strict package integrity checks or uses a private package registry. | LLM | SKILL.md:33 |
Scan History
Embed Code
[](https://skillshield.io/report/c490a72203e98c2c)
Powered by SkillShield