Security Audit
openai/skills:skills/.curated/winui-app
github.com/openai/skillsTrust Assessment
openai/skills:skills/.curated/winui-app received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary Command Execution via WinGet Configuration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on July 17, 2026 (commit 49f948fa). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary Command Execution via WinGet Configuration The skill instructions mandate running a local WinGet configuration file (`winget configure -f config.yaml --accept-configuration-agreements --disable-interactivity`) automatically during the setup/bootstrap flow. Because `config.yaml` is part of the workspace/repository and can be modified by untrusted inputs or PRs, this allows arbitrary system configuration changes, software installations, or script execution with elevated privileges on the user's machine without interactive confirmation. Avoid running WinGet configurations automatically with `--disable-interactivity`. Prompt the user with the specific changes to be made, or require manual execution and verification of the `config.yaml` contents before running the command. | LLM | SKILL.md:21 |
Scan History
Embed Code
[](https://skillshield.io/report/be87d47c3f884d57)
Powered by SkillShield