Trust Assessment
claude-code-skill received a trust score of 33/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 1 critical, 3 high, 3 medium, and 3 low severity. Key findings include Unsafe environment variable passthrough, Missing required field: name, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 29/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via MCP Server Configuration The skill allows dynamic creation and configuration of MCP servers, where the 'command' and 'args' fields of the ServerConfig object are directly used to spawn child processes via StdioClientTransport. If an attacker can control the 'mcp_config.json' file (which is loaded from 'process.cwd()' by default or an arbitrary path set by 'setConfigPath') or inject arguments into the 'addMcpServer' function, they can execute arbitrary shell commands on the host system. This is a direct command injection vulnerability. Implement strict validation and sanitization for 'command' and 'args' fields in ServerConfig. Consider using a whitelist of allowed commands and arguments. Ensure that 'mcp_config.json' is loaded only from trusted, immutable locations or that its content is cryptographically signed and verified before use. Restrict the ability to dynamically add or modify MCP server configurations from untrusted sources. | LLM | src/mcp/client.ts:16 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/enderfga/claude-code-skill/src/mcp/client.ts:24 | |
| HIGH | Exposure of Host Environment Variables to Child Processes The 'createClient' function explicitly merges all environment variables from the host process ('process.env') into the environment of the spawned child process. This means that any sensitive environment variables (e.g., API keys, database credentials) present in the host's environment will be accessible to the MCP server process. A malicious MCP server, potentially spawned via command injection, could easily exfiltrate these sensitive environment variables. Filter environment variables passed to child processes. Only explicitly whitelist necessary environment variables, or provide a mechanism to exclude sensitive ones. Avoid passing the entire 'process.env' object to untrusted or potentially compromised child processes. | LLM | src/mcp/client.ts:20 | |
| HIGH | Excessive Filesystem Permissions Granted to MCP Servers The skill's examples demonstrate configuring filesystem MCP servers with broad access, such as to '/tmp' or the current working directory ('./'). While this is shown as a feature, the underlying mechanism allows an attacker (if they can achieve command injection) to configure a malicious MCP server with extensive filesystem read/write permissions. This could lead to unauthorized data access, modification, or deletion of sensitive files on the host system. When configuring filesystem access for MCP servers, enforce the principle of least privilege. Restrict access to only the directories and files absolutely necessary for the server's function. Avoid granting access to sensitive system directories or the entire current working directory, especially if the server's command source is not fully trusted. | LLM | SKILL.md:20 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/enderfga/claude-code-skill/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency '@modelcontextprotocol/sdk' is not pinned to an exact version ('^1.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/enderfga/claude-code-skill/package.json | |
| MEDIUM | Insecure Handling of Credentials in Configuration File The skill's documentation explicitly shows how to configure an MCP server (e.g., GitHub) with sensitive credentials like 'GITHUB_TOKEN' directly within the 'mcp_config.json' file. If this configuration file is stored in an insecure location, is readable by unauthorized users, or can be modified by an attacker, it could lead to the exposure or misuse of these credentials. While the skill doesn't 'harvest' credentials, it provides a mechanism for their insecure storage and use. Advise users against storing sensitive credentials directly in plain-text configuration files. Recommend using secure credential management systems (e.g., environment variables, secret managers, or encrypted vaults) for storing and retrieving API keys and tokens. If configuration files must contain credentials, ensure they are encrypted at rest and accessed only by authorized processes. | LLM | SKILL.md:89 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/enderfga/claude-code-skill/package.json | |
| LOW | Sensitive Data Stored in Client-Side Persistence Without Encryption The skill provides a persistence mechanism using IndexedDB and localStorage via 'createPersistStore' and 'indexedDBStorage'. The 'examples/chat-store.ts' demonstrates storing chat messages, which can contain sensitive user data. While client-side storage is common, storing sensitive information without encryption can pose a data exfiltration risk if the application is vulnerable to Cross-Site Scripting (XSS) or if the user's device is compromised. The skill does not offer built-in encryption for this persistent data. For sensitive data stored using 'createPersistStore', implement client-side encryption before storing and decryption upon retrieval. Advise users to avoid storing highly sensitive information in unencrypted client-side storage. Provide clear guidance on the security implications of storing different types of data. | LLM | src/store/indexeddb-storage.ts:34 | |
| LOW | Unpinned Dependencies in package.json The 'package.json' file uses caret (^) ranges for dependencies (e.g., '^1.0.0'). While common, this practice allows minor and patch updates to be installed automatically. A malicious update to a dependency within its allowed range could introduce vulnerabilities without explicit review, posing a supply chain risk. Although not fully unpinned, it's less secure than exact pinning. Consider pinning dependencies to exact versions to ensure deterministic builds and reduce the risk of unexpected vulnerabilities introduced by upstream updates. Regularly audit and update dependencies to incorporate security fixes. | LLM | package.json:17 |
Scan History
Embed Code
[](https://skillshield.io/report/d5d9a0841bc1effe)
Powered by SkillShield