Trust Assessment
asana received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary File Upload Leading to Data Exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Upload Leading to Data Exfiltration The `upload-attachment` command in `scripts/asana.mjs` allows an agent to specify an arbitrary file path via the `--file` argument. The skill then reads the content of this file using `fs.readFileSync` and uploads it to Asana. This creates a high-risk data exfiltration vector, as a malicious prompt to the LLM could instruct the skill to upload sensitive files (e.g., `/etc/passwd`, API keys, configuration files) from the host system to the Asana platform. Implement strict validation and sanitization for the `--file` argument. Ideally, restrict file uploads to a specific, sandboxed directory (e.g., `/tmp/uploads`) or require explicit user confirmation for uploads from sensitive system paths. Consider implementing content filtering or type restrictions if applicable. Ensure the skill runs with the principle of least privilege, limiting its access to the filesystem. | LLM | scripts/asana.mjs:500 |
Scan History
Embed Code
[](https://skillshield.io/report/ac940311e75595df)
Powered by SkillShield