Security Audit
ncklrs/startup-os-skills:skills/create-video-start
github.com/ncklrs/startup-os-skillsTrust Assessment
ncklrs/startup-os-skills:skills/create-video-start received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Direct Prompt Injection via Creative Brief, Excessive Permissions: Bash tool granted to /motion-designer, Chained Prompt Injection via Intermediate Files.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on March 10, 2026 (commit 91625964). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Prompt Injection via Creative Brief The user-provided `$CREATIVE_BRIEF` is directly embedded into the prompt for the `/motion-designer` sub-skill without any sanitization or escaping. A malicious user could craft a brief containing instructions that manipulate the sub-skill's behavior, potentially leading to unintended actions, data exfiltration, or arbitrary command execution if the sub-skill has access to powerful tools like `Bash`. Implement robust sanitization or escaping of user input (`$CREATIVE_BRIEF`) before embedding it into prompts. Consider using a structured input format (e.g., JSON) with schema validation or a dedicated prompt templating mechanism that prevents arbitrary instruction injection. | LLM | SKILL.md:40 | |
| HIGH | Excessive Permissions: Bash tool granted to /motion-designer The `/motion-designer` sub-skill, whose primary function is to generate a specification document, is granted `Bash` tool access. This is an excessive permission that, when combined with the direct prompt injection vulnerability (SS-LLM-001), allows a malicious user to execute arbitrary shell commands through the compromised sub-skill. Remove `Bash` from the `allowedTools` for `/motion-designer`. Only grant the minimum necessary tools for each skill's intended function. If `Bash` is truly needed for a specific, controlled operation, encapsulate it carefully and ensure inputs are fully sanitized. | LLM | SKILL.md:49 | |
| HIGH | Chained Prompt Injection via Intermediate Files Outputs from previous steps (e.g., `VIDEO_SPEC.md`, `ANIMATION_CONFIG.md`) are read using `$(cat ...)` and directly embedded into subsequent sub-skill prompts. If an earlier skill is compromised (e.g., via prompt injection into `$CREATIVE_BRIEF`), it could generate malicious output that then injects instructions into later skills in the pipeline, creating a chained prompt injection vulnerability. This allows an attacker to propagate control through the entire pipeline. Implement strict validation and sanitization of all intermediate outputs before they are used as input for subsequent skill prompts. Consider using structured data formats (e.g., JSON, YAML) with schema validation instead of raw markdown to prevent arbitrary instruction embedding. | LLM | SKILL.md:57 | |
| MEDIUM | Command Injection Risk via $TOTAL_SCENES in Shell Command The orchestrator's `for` loop uses `$TOTAL_SCENES` in a shell command `$(seq 1 $TOTAL_SCENES)`. If `$TOTAL_SCENES` is derived from untrusted input (e.g., a compromised `VIDEO_SPEC.md` due to prompt injection) and is not strictly validated as an integer, a malicious value could lead to command injection in the orchestrator's own execution environment (e.g., `$TOTAL_SCENES` could be `1; rm -rf /`). Ensure `$TOTAL_SCENES` is always strictly validated as an integer before being used in shell commands. If it's derived from a file, parse and validate the file content carefully to extract the integer value. | LLM | SKILL.md:99 | |
| MEDIUM | Excessive Permissions: WebSearch tool granted to /remotion-asset-coordinator The `/remotion-asset-coordinator` sub-skill is granted `WebSearch` tool access. While this might be intended for finding asset sources, it's a powerful tool that could be abused via prompt injection to exfiltrate data (e.g., by searching for sensitive information and sending it to an attacker-controlled site) or perform other malicious web requests if not carefully constrained. Re-evaluate if `WebSearch` is strictly necessary for this skill's core function. If so, ensure that any input to the `WebSearch` tool is thoroughly sanitized and that the skill's prompt explicitly restricts its use to legitimate asset coordination tasks. Consider a more constrained 'search for assets' tool instead of a general `WebSearch`. | LLM | SKILL.md:147 |
Scan History
Embed Code
[](https://skillshield.io/report/cca0aaf0f08720ba)
Powered by SkillShield