Security Audit
Luispitik/sinapsis-3.2:skills/skill-router
github.com/Luispitik/sinapsis-3.2Trust Assessment
Luispitik/sinapsis-3.2:skills/skill-router received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 9 critical, 9 high, 1 medium, and 1 low severity. Key findings include File read + network send exfiltration, Missing required field: name, Sensitive path access: AI agent config.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on April 9, 2026 (commit f405238d). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/skill-router/SKILL.md:12 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/skill-router/SKILL.md:23 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/skill-router/SKILL.md:24 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/skill-router/SKILL.md:83 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/skill-router/SKILL.md:84 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/skill-router/SKILL.md:87 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/skill-router/SKILL.md:284 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/skill-router/SKILL.md:329 | |
| CRITICAL | Untrusted Skill Installation via Catalog The skill describes a mechanism to install other skills from a `_catalog.json` which can be synced from a 'GitHub registry'. The installation process involves copying skill files to `.claude/commands/`, implying they are then executed by the LLM. Without robust security measures like code signing, sandboxing, or strict vetting of skill sources, this creates a critical supply chain vulnerability. A compromised catalog or registry could lead to the installation and execution of malicious skills, potentially allowing arbitrary code execution within the LLM's environment. Implement strong security controls for skill installation: require code signing, implement sandboxing for skill execution, vet all skills in the catalog, and ensure secure update mechanisms for the catalog itself. Skills should be treated as untrusted code and executed in isolated environments. | LLM | SKILL.md:195 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/skill-router/SKILL.md:12 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/skill-router/SKILL.md:23 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/skill-router/SKILL.md:24 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/skill-router/SKILL.md:83 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/skill-router/SKILL.md:84 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/skill-router/SKILL.md:87 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/skill-router/SKILL.md:284 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/skill-router/SKILL.md:329 | |
| HIGH | Broad Filesystem and Command Execution Permissions The skill explicitly states reading and writing to various files and directories within `~/.claude/` (e.g., `_operator-state.json`, `_daily-summaries/`, `CLAUDE.md`, `_projects.json`, `_catalog.json`, `settings.json`) and the current project directory. It also accesses `git config user.name` and `user.email`, implying `git` command execution. This broad access, while functional for the skill's purpose, presents a significant security risk if the skill is compromised, allowing potential unauthorized data access, modification, or further command execution beyond its intended scope. Implement a least-privilege model. Restrict filesystem access to only strictly necessary paths and file types. If `git` commands are executed, ensure they are tightly constrained and do not allow arbitrary command injection. Consider sandboxing the skill's execution environment to limit its impact if compromised. | LLM | SKILL.md:40 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/skill-router/SKILL.md:1 | |
| LOW | Access to Git User Configuration The skill accesses `git config user.name` and `user.email` during the onboarding process. This personal information is then stored in `CLAUDE.md` and `operator-state.json`. While typically not highly sensitive, this constitutes collection and storage of user data, which could be a privacy concern or a minor data leakage point if the skill or its storage is compromised, or if the user's git configuration contains more sensitive details. Inform the user explicitly about the collection and storage of this data. Ensure secure storage and handling of all collected personal information. Consider if this information is strictly necessary for the skill's core function, or if it can be obtained through less intrusive means. | LLM | SKILL.md:45 |
Scan History
Embed Code
[](https://skillshield.io/report/e4dba7a9a3a66dec)
Powered by SkillShield