Trust Assessment
bim-qto received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary File Write via User-Controlled Path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Write via User-Controlled Path The `to_excel` method allows writing an Excel file to an arbitrary `output_path` provided by the user. An attacker could specify a sensitive system path (e.g., `/etc/passwd` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows) to overwrite critical system files, leading to denial of service, system instability, or privilege escalation if the skill runs with sufficient permissions. While `pandas` itself handles file writing, the lack of path validation or restriction makes this a significant vulnerability. Restrict the `output_path` to a designated, non-sensitive directory (e.g., a temporary directory or a user-specific output folder). Implement path validation to ensure the path is within allowed boundaries and does not contain directory traversal sequences (e.g., `../`). | LLM | SKILL.md:249 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/bim-qto/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/6a1af0ea1139e085)
Powered by SkillShield