Trust Assessment
bim-cost-estimation-cwicr received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Prompt Injection via unsanitized user input, Command Injection via subprocess.run with unsanitized input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via unsanitized user input The `decompose_bim_type` method constructs an LLM prompt by directly embedding `bim_type` and `category` without any sanitization. An attacker controlling these inputs could inject malicious instructions into the prompt, manipulating the LLM's behavior to perform unintended actions, generate harmful content, or potentially exfiltrate sensitive information if the LLM has access to it. Implement robust input validation and sanitization for `bim_type` and `category` before constructing the prompt. Consider using a templating engine with strict auto-escaping or a more structured approach to pass parameters to the LLM, ensuring that user input is treated as data, not instructions. | LLM | SKILL.md:210 | |
| CRITICAL | Command Injection via subprocess.run with unsanitized input The `estimate_from_bim_model` function uses `subprocess.run` to execute an external program (`RvtExporter.exe`). The `model_path` argument is directly passed to this command. If `model_path` can be controlled by an attacker, they could inject arbitrary shell commands, leading to remote code execution on the host system. Thoroughly validate `model_path` to ensure it is a legitimate file path and does not contain any shell metacharacters or command separators. If `model_path` is user-provided, it must be strictly sanitized or restricted to prevent command injection. Consider using `shlex.quote` for individual arguments if they might contain spaces, but the primary defense should be input validation. | LLM | SKILL.md:374 | |
| HIGH | Arbitrary File Write via unsanitized output path The `generate_estimate_report` function constructs an Excel file path using `output_path`, which is derived from the user-controlled `output_dir` argument in `estimate_from_bim_model`. An attacker could provide a path traversal sequence (e.g., `../../`) or an absolute path to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or exfiltrating data by writing it to a publicly accessible directory. Restrict `output_path` to a designated, sandboxed directory. Implement strict validation on `output_dir` to prevent path traversal attacks and ensure it refers only to allowed locations. Do not allow arbitrary absolute paths. | LLM | SKILL.md:330 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/bim-cost-estimation-cwicr/SKILL.md:1 | |
| INFO | API Key Handling in Constructor The `BIMCostEstimator` class constructor accepts `qdrant_api_key` and `openai_api_key` as direct arguments. While the provided example usage does not explicitly pass these, the design allows for them to be passed directly. If these keys are sourced from untrusted input or insecurely stored/passed, it could lead to credential exposure. Best practice is to use environment variables or a secure secret management system. Recommend using environment variables (e.g., `OPENAI_API_KEY`) or a secure secret management system for API keys instead of passing them as direct function arguments, especially if the arguments could originate from untrusted sources. Ensure these keys are never logged or exposed in code or configuration files. | LLM | SKILL.md:153 |
Scan History
Embed Code
[](https://skillshield.io/report/41d182687bda1f7f)
Powered by SkillShield