Trust Assessment
app-builder received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Command Injection via unsanitized user input, Explicit instruction to exfiltrate local .env file, Capture and use of sensitive API credentials (appId, token).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unsanitized user input The skill constructs shell commands using user-provided values like `<app-name>` and `<repo-name>` without apparent sanitization. A malicious user could inject arbitrary shell commands by providing specially crafted names. For example, an `<app-name>` like `my-app; rm -rf /;` could lead to severe system compromise. All user-provided inputs used in shell commands must be strictly validated and sanitized (e.g., using `shlex.quote` in Python or similar mechanisms) to prevent command injection. This applies to `<app-name>` in `create-instant-app` and `<repo-name>` in `gh repo create`. | LLM | SKILL.md:35 | |
| CRITICAL | Explicit instruction to exfiltrate local .env file The skill explicitly instructs the agent to "Use the CLI to push the environment variables you do have in the local .env file" to Vercel. This can lead to the exfiltration of sensitive local environment variables that may not be intended for deployment or could contain secrets specific to the local development environment. Do not automatically push all local `.env` variables. Instead, prompt the user to specify which variables should be pushed, or provide a mechanism for selective and secure transfer of environment variables to deployment platforms. | LLM | SKILL.md:74 | |
| HIGH | Capture and use of sensitive API credentials (appId, token) The skill captures `appId` and `token` from `npx instant-cli init-without-files` and subsequently uses them in other commands. While this is part of the intended workflow, an untrusted skill handling and directly interpolating sensitive credentials into shell commands poses a risk. A malicious skill could log or exfiltrate these credentials. Implement secure credential management practices. Avoid direct interpolation of sensitive credentials into shell commands. Consider using environment variables, secure vaults, or tool-specific credential stores. Ensure credentials are not logged or exposed. | LLM | SKILL.md:30 | |
| HIGH | Broad filesystem access and arbitrary code execution capabilities The skill operates within the `~/apps` directory, granting broad filesystem access. It also instructs the use of a "coding agent (Codex CLI or equivalent) from within the app directory to make changes," implying the ability to execute arbitrary code or commands based on user requests. Combined with powerful CLIs like `git`, `gh`, `vercel`, and `npx`, this creates an environment with excessive permissions, enabling potential system compromise or unauthorized deployments. Restrict the skill's operating environment to the absolute minimum necessary. Implement strict sandboxing for code execution. Carefully review and limit the capabilities of any "coding agent" to prevent arbitrary command execution. | LLM | SKILL.md:10 | |
| MEDIUM | Unpinned `npx` and CLI dependencies The skill relies on `npx instant-cli`, `npx create-instant-app`, `gh`, and `vercel` without specifying exact versions. This means the latest available version will be used, which could introduce breaking changes, vulnerabilities, or even malicious code if a package maintainer's account is compromised or a typosquatting attack occurs. Pin all external dependencies to specific versions (e.g., `npx instant-cli@1.2.3`). Regularly audit and update these pinned versions to mitigate supply chain risks. | LLM | SKILL.md:4 | |
| MEDIUM | Untrusted content dictates LLM conversational behavior The "Communicating" section in the untrusted skill definition attempts to instruct the host LLM on how to interact with the user, including specific phrases and conversational style ("send a message saying...", "send period updates...", "Make it fun for the user."). This is a form of prompt injection, as it dictates the LLM's output and behavior based on untrusted input, potentially overriding its core instructions or persona. LLM conversational instructions should be defined by the trusted system prompt, not by untrusted skill definitions. Remove or ignore conversational directives from untrusted skill content. | LLM | SKILL.md:83 |
Scan History
Embed Code
[](https://skillshield.io/report/a82425e76b6d0c9d)
Powered by SkillShield