Trust Assessment
agent-content-pipeline received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Unpinned npm package dependency in installation instructions, Potential command injection via CLI arguments, Broad filesystem access and external editor interaction for agent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned npm package dependency in installation instructions The `SKILL.md` instructs users to install `agent-content-pipeline` globally via `npm install -g agent-content-pipeline`, and the `skill.json` specifies this package without a version constraint. This means that any installation will fetch the latest available version from npm. If a malicious update is published to the `agent-content-pipeline` package, it could lead to a supply chain attack, compromising the system running the skill when the installation command is executed. Pin the version of `agent-content-pipeline` in the installation instructions (e.g., `npm install -g agent-content-pipeline@1.2.3`) and update `skill.json` to reflect this specific version or a secure version range (e.g., `"package": "agent-content-pipeline@^1.2.3"`). Regularly review and update pinned versions. | LLM | SKILL.md:7 | |
| MEDIUM | Potential command injection via CLI arguments The skill instructs the agent to execute various `content` CLI commands, such as `content review <file>`, `content mv <dest> <file>`, `content edit <file>`, `content post <file>`, and `content thread <file>`. If the `<file>` or `<dest>` arguments are constructed directly from untrusted user input without proper sanitization or validation, a malicious user could inject shell metacharacters (e.g., `;`, `|`, `&&`, `$()`) to execute arbitrary commands on the host system. While the provided `SKILL.md` does not explicitly show the agent taking direct user input for these arguments, it is a common vulnerability pattern for AI agents to construct command arguments dynamically. Implement robust input validation and sanitization for all arguments passed to shell commands. When constructing commands, prefer using arrays of arguments (e.g., `subprocess.run(['content', 'review', filename])` in Python) rather than concatenating strings, to prevent shell interpretation of metacharacters. Ensure that the agent's internal logic for generating these arguments is secure and does not allow untrusted input to directly influence command structure. | LLM | SKILL.md:78 | |
| LOW | Broad filesystem access and external editor interaction for agent The agent is granted permissions to "Write to `drafts/`", "Read all content directories", and "Move revised files to `revised/`". This implies significant filesystem access within the skill's operational directories. Additionally, the `content edit <file>` command instructs the agent to open a file in an external editor (`$EDITOR` or `code`). If the `$EDITOR` environment variable is controlled by an attacker or points to a malicious executable, or if the agent is tricked into editing a sensitive file outside its intended scope, this could lead to data manipulation or execution of arbitrary code. While the skill defines a specific workflow, the broad filesystem access within that workflow and the reliance on an external editor warrant attention. Restrict the agent's filesystem access to the absolute minimum necessary directories using sandboxing or containerization if possible. For the `content edit` command, ensure that the agent is only allowed to edit files within the designated content directories and that the `$EDITOR` environment variable is controlled and points to a trusted application. Consider if the agent truly needs to invoke an external editor, or if internal text manipulation capabilities would suffice. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/f23c4f019493c341)
Powered by SkillShield