Security Audit
lawvable/awesome-legal-skills:skills/skill-optimizer-lawvable
github.com/lawvable/awesome-legal-skillsTrust Assessment
lawvable/awesome-legal-skills:skills/skill-optimizer-lawvable received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include User-provided text directly incorporated into other skill definitions, Broad write access to other skill definitions, Injected instructions could lead to data exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 26, 2026 (commit 4d82d4cf). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | User-provided text directly incorporated into other skill definitions The skill's core functionality involves taking user feedback (referred to as an "exact instruction to add") and directly writing it into the `SKILL.md` files of other skills. This allows a malicious user to inject arbitrary instructions, including prompt injection payloads, into other skills. These injected instructions could then manipulate the behavior of those skills when they are invoked, potentially overriding safety mechanisms, altering outputs, or causing unintended actions. The skill attempts to "evaluate" signals for quality, but this evaluation is based on criteria like "COMPLETE", "PRECISE", "ATOMIC", and "STABLE", which are focused on instruction clarity, not security. There is no described mechanism to sanitize or prevent malicious instructions from being incorporated. Implement robust sanitization and validation of user-provided instructions before they are written to skill definitions. Consider a human review step for proposed changes to skill definitions. Restrict the types of instructions that can be added or modified. Ensure that the LLM's evaluation criteria explicitly include security checks to prevent malicious payloads. | LLM | SKILL.md:108 | |
| HIGH | Broad write access to other skill definitions The skill requires write access to `SKILL.md`, `CHANGELOG.md`, and `OBSERVATIONS.md` for *any* skill within the `skills/` directory. This broad permission, combined with the ability to incorporate user-provided text (as identified in the prompt injection finding), creates a significant attack surface. An attacker could leverage this to modify the behavior of any other skill, potentially disabling them, altering their functionality, or injecting malicious code. Restrict the scope of skill modification. Instead of directly writing to `SKILL.md`, consider a more controlled mechanism, such as proposing changes in a structured format that requires explicit approval and sanitization, or limiting modifications to specific, pre-defined sections of a skill. Implement granular access controls if possible, to limit which skills can be modified by this optimizer skill. | LLM | SKILL.md:108 | |
| MEDIUM | Injected instructions could lead to data exfiltration While the `skill-optimizer-lawvable` itself does not directly exfiltrate data, its ability to inject arbitrary instructions into other skills (as described in the prompt injection finding) creates a vector for data exfiltration. A malicious instruction added to another skill could command that skill to read sensitive data (e.g., from the conversation history, local files accessible to the agent, or environment variables) and then attempt to transmit it externally (e.g., via a tool call or by embedding it in an output that is later processed by an attacker). The skill also reads `SKILL.md` and `CHANGELOG.md` of other skills, which could be used to gather information about the agent's capabilities or past interactions, though this is less direct exfiltration. Address the root cause of prompt injection by sanitizing and validating user-provided instructions. Implement network egress filtering for the agent to prevent unauthorized data transmission. Limit the file system access of skills to only what is strictly necessary. | LLM | SKILL.md:108 |
Scan History
Embed Code
[](https://skillshield.io/report/841e9075b08532f5)
Powered by SkillShield