Trust Assessment
agents-manager received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Unsanitized User Input in Markdown File Leads to Prompt Injection/Data Manipulation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal Vulnerability in Registry Validation Script The `validate_registry.js` script allows an arbitrary file path to be passed as the first command-line argument (`registry_path`). This path is then used directly in `fs.readFileSync()` without proper validation or sanitization. An attacker could exploit this to read any file on the system that the Node.js process has permissions to access (e.g., `/etc/passwd`, `.env` files, other sensitive configuration). This constitutes a severe data exfiltration vulnerability. Implement strict validation for the `registry_path` argument. Ensure that the provided path is either a fixed, known path or is strictly confined to an allowed directory (e.g., `references/`). Use `path.resolve()` and then check if the resolved path is a child of the intended base directory to prevent directory traversal attacks. | LLM | scripts/validate_registry.js:66 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/agentandbot-design/agents-manager/scripts/health_check.js:2 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/agentandbot-design/agents-manager/SKILL.md:1 | |
| MEDIUM | Unsanitized User Input in Markdown File Leads to Prompt Injection/Data Manipulation The `setup_wizard.js` script takes user input for agent details (ID, name, role, reports_to) and directly appends it to `agent-registry.md` without sanitization. An attacker could inject markdown syntax (e.g., `### New Section`, `[link](malicious_url)`, or even LLM instructions) into fields like `agent.id` or `agent.name`. If `agent-registry.md` is later consumed by an LLM as context, this could lead to prompt injection, allowing the attacker to manipulate the LLM's behavior. It also poses a risk of data manipulation within the registry file itself, potentially confusing other parsing scripts or human readers. Implement input sanitization for all user-provided fields (`agent.id`, `agent.name`, `agent.role`, `agent.reports_to`) before writing them to `agent-registry.md`. This should involve escaping markdown special characters to prevent unintended formatting or instruction injection. | LLM | scripts/setup_wizard.js:70 |
Scan History
Embed Code
[](https://skillshield.io/report/f651d768ce325242)
Powered by SkillShield