Trust Assessment
box received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unsafe File Path Handling in Upload Operation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe File Path Handling in Upload Operation The skill's `Upload File` example demonstrates using `curl -F "file=@localfile.txt"`. If the `localfile.txt` path is constructed from untrusted user input without strict validation and sanitization, it could lead to command injection (if shell metacharacters are interpreted) or path traversal (allowing the upload of arbitrary files from the agent's filesystem). This poses a significant risk of data exfiltration or system compromise. When implementing the file upload functionality, ensure that the local file path is either strictly controlled by the skill (e.g., only allowing uploads from a specific, isolated directory) or, if user-provided, is thoroughly validated to prevent path traversal sequences (`../`) and shell metacharacters. Consider using a dedicated file upload mechanism that doesn't rely on direct shell command construction with user-supplied paths. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/0347301d772f24fc)
Powered by SkillShield