Trust Assessment
api-connector received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Prompt Injection Attempt: Misleading Safety Claim, Excessive and Dangerous Tool Permissions, Credible Data Exfiltration Path via File System Access and Network Requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection Attempt: Misleading Safety Claim The `SKILL.md` content contains a 'Safety' section that explicitly states the skill 'Cannot execute bash commands' and 'Cannot edit local files'. This directly contradicts the skill's declared `allowed-tools` in the manifest, which include `BashOutput`, `KillShell`, and `NotebookEdit`. This is a critical prompt injection attempt, as it tries to manipulate the host LLM or user into believing the skill is safer than its actual permissions allow, potentially leading to the approval of a highly privileged and dangerous skill. Ensure all documentation accurately reflects the skill's true capabilities and declared permissions. Remove misleading safety claims. More importantly, review and drastically reduce the `allowed-tools` to only those strictly necessary for the skill's stated purpose. | LLM | SKILL.md:35 | |
| CRITICAL | Excessive and Dangerous Tool Permissions The skill's manifest declares an overly broad set of `allowed-tools` that far exceed the stated purpose of 'Connect to REST APIs, manage authentication, and process responses.' Specifically, `BashOutput`, `KillShell`, `NotebookEdit`, `TodoWrite`, `AskUserQuestion`, `SlashCommand`, `Skill`, `Glob`, and `Grep` grant capabilities for arbitrary command execution, file system manipulation, direct user interaction, and control over other skills. These permissions introduce severe risks for command injection, data exfiltration, and privilege escalation. Drastically reduce the `allowed-tools` list to the absolute minimum required for the skill's core functionality. For an API connector, `WebFetch` is likely the primary tool needed. Remove `BashOutput`, `KillShell`, `NotebookEdit`, `TodoWrite`, `AskUserQuestion`, `SlashCommand`, `Skill`, `Glob`, `Grep` unless a very specific and justified use case can be demonstrated and secured. | LLM | Manifest:1 | |
| HIGH | Credible Data Exfiltration Path via File System Access and Network Requests The combination of `Read`, `Glob`, and `Grep` permissions allows the skill to access and search the local file system for sensitive information. Coupled with `WebFetch` (a necessary tool for an API connector), this creates a direct and credible path for data exfiltration. A malicious actor or compromised skill could read arbitrary files and transmit their contents to an external server via the API connection. Remove `Read`, `Glob`, and `Grep` permissions if the skill does not genuinely require file system access. If limited file access is necessary, implement strict sandboxing and access controls to restrict the scope of files that can be read. | LLM | Manifest:1 |
Scan History
Embed Code
[](https://skillshield.io/report/b543ecf989610d38)
Powered by SkillShield