Security Audit
jnMetaCode/superpowers-zh:skills/using-superpowers
github.com/jnMetaCode/superpowers-zhTrust Assessment
jnMetaCode/superpowers-zh:skills/using-superpowers received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Aggressive Prompt Injection to Force Skill Usage, Instruction Hierarchy Manipulation, Tool Usage Control and Restriction.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on March 25, 2026 (commit 03baa780). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Aggressive Prompt Injection to Force Skill Usage The skill uses highly imperative and manipulative language to force the LLM to call skills, even when there's only a '1% possibility' of applicability. It explicitly attempts to override the LLM's default system prompt behavior and internal reasoning process. The `<EXTREMELY-IMPORTANT>` block and '红线' (Red Line) section are designed to prevent the LLM from making independent judgments or rationalizing against skill usage, which is a direct attempt to subvert the LLM's autonomy and instruction hierarchy. Rephrase instructions as guidance or suggestions rather than absolute commands. Remove manipulative language that attempts to override the LLM's internal reasoning or default system prompts. Skills should be presented as tools to assist, not mandatory overrides. | LLM | SKILL.md:10 | |
| HIGH | Instruction Hierarchy Manipulation The skill explicitly defines an instruction priority, placing 'Superpowers 技能' above '默认系统提示' and attempting to dictate how the LLM should weigh different sources of instructions. This is a direct prompt injection technique to control the LLM's decision-making framework. Remove or rephrase the explicit instruction hierarchy. The LLM's primary system prompt should define its instruction processing order, with skills providing context or tools, not overriding core directives. | LLM | SKILL.md:20 | |
| MEDIUM | Tool Usage Control and Restriction The skill attempts to control how the LLM interacts with its environment by explicitly instructing it to '绝不要用 Read 工具读取技能文件' (Never use the Read tool to read skill files). While this might be intended to streamline workflow, it's a form of prompt injection that restricts the LLM's tool usage and ability to inspect its own instructions, potentially hindering transparency or debugging. Remove instructions that restrict the LLM's ability to use available tools for inspection or understanding. The LLM should be free to use its tools as it deems appropriate for the task. | LLM | SKILL.md:36 | |
| LOW | Implied File System Access for Skill Routing The '中国特色技能路由' section instructs the LLM to activate specific skills based on project characteristics such as '中文注释、中文 README、或 .gitee 目录' and 'commit 历史中有中文'. This implies the LLM is expected to inspect project files and potentially commit history to make routing decisions. While the skill itself doesn't contain code to perform these actions, it creates an expectation that the LLM has broad filesystem access to fulfill this requirement. If the LLM's environment grants such access, this instruction could lead to excessive permissions being exercised. Clarify how the LLM is expected to obtain this information without requiring broad, unconstrained filesystem access. If file system checks are necessary, specify the exact tools and scope of access required, or provide this information to the LLM through other means. | LLM | SKILL.md:109 |
Scan History
Embed Code
[](https://skillshield.io/report/9ffa44f3e735e7e3)
Powered by SkillShield