Trust Assessment
ai-sdk-core received a trust score of 25/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 1 medium, and 2 low severity. Key findings include File read + network send exfiltration, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/veeramanikandanr48/ai-sdk-core/templates/nextjs-server-action.ts:145 | |
| CRITICAL | Dynamic MCP Tools enable Command Injection The skill documentation explicitly warns about the critical security risks of using dynamic Model Context Protocol (MCP) tools in production. The example demonstrates a command injection vector where `experimental_createMCPClient` is configured to execute an external command (`npx @modelcontextprotocol/server-filesystem`) via its `transport` configuration. A compromised MCP server or malicious prompt could inject arbitrary commands, leading to severe system compromise. The rubric itself highlights this as a critical risk. As suggested by the rubric, use static tool generation (`mcp-to-ai-sdk`) and commit generated tools to version control. Avoid dynamic tool loading from untrusted sources in production environments. | LLM | SKILL.md:138 | |
| HIGH | `fs.readFile` tool without approval can lead to data exfiltration The `readFile` tool example demonstrates direct filesystem access (`fs.readFile(path)`). While the rubric suggests `needsApproval: false` for 'safe operations', reading arbitrary files on the filesystem can be a data exfiltration vector if the `path` parameter is controlled by untrusted input (e.g., a malicious prompt). An attacker could instruct the agent to read sensitive files (e.g., `/etc/passwd`, `.env` files, private keys) and then exfiltrate their content through the agent's response. For any tool that accesses the filesystem (read or write), implement strict input validation and sanitization for the `path` parameter. Consider using a whitelist of allowed directories or file types, or requiring explicit human approval (`needsApproval: true`) for any filesystem access, especially if the path is derived from user input. | LLM | SKILL.md:102 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ai' is not pinned to an exact version ('^5.0.95'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/veeramanikandanr48/ai-sdk-core/templates/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/veeramanikandanr48/ai-sdk-core/templates/package.json | |
| LOW | Unpinned dependencies using caret ranges The `package.json` uses caret (`^`) ranges for dependencies (e.g., `"ai": "^5.0.95"`). While common, this practice allows minor and patch versions to be automatically updated, which could inadvertently introduce breaking changes, vulnerabilities, or malicious code if a dependency's maintainer is compromised. For production systems, exact pinning or stricter version ranges combined with lock files are recommended for deterministic builds and enhanced security. Use exact version pinning (e.g., `"ai": "5.0.95"`) or tilde (`~`) ranges for patch updates only. Ensure `package-lock.json` (or `yarn.lock`) is committed and used for deterministic builds. Regularly audit dependencies for known vulnerabilities. | LLM | templates/package.json:8 |
Scan History
Embed Code
[](https://skillshield.io/report/b9db185125515ced)
Powered by SkillShield