Trust Assessment
canvas-design received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unrestricted external font downloads.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unrestricted external font downloads The skill instructs the LLM to 'Download and use whatever fonts are needed'. This directive allows the LLM to fetch and potentially process external resources (fonts) from arbitrary, untrusted sources. This introduces a significant supply chain risk, as malicious fonts could contain exploits, lead to resource exhaustion, or introduce other vulnerabilities. Furthermore, if the LLM attempts to fulfill this by executing shell commands (e.g., `curl`, `wget`), it could lead to command injection or arbitrary code execution, depending on the LLM's execution environment and permissions. Restrict font usage to a pre-approved, curated list of fonts or those available in the local `./canvas-fonts` directory. If external fonts are absolutely necessary, implement a secure, sandboxed download mechanism with strict validation and user confirmation, and specify trusted sources only. | LLM | SKILL.md:85 |
Scan History
Embed Code
[](https://skillshield.io/report/579aa74877024367)
Powered by SkillShield