Trust Assessment
context-optimizer received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill configuration allows arbitrary file system access via `archivePath` The `ContextArchive` class in `lib/index.js` performs file system operations (`fs.mkdir`, `fs.readFile`, `fs.writeFile`, and `fs.rm`) within the directory specified by `this.config.archivePath`. The `archivePath` is part of the skill's configurable options (`DEFAULT_CONFIG` can be overridden by the agent's configuration). If a malicious actor can control the `archivePath` configuration parameter (e.g., by setting it to `/etc`, `/root`, or `~/.ssh`), they could read, write, or delete arbitrary files and directories on the host system. This constitutes a severe command injection and data exfiltration vulnerability, granting excessive permissions to the skill. Restrict `archivePath` to be strictly within the skill's designated data directory (e.g., `path.join(__dirname, 'data', 'context-archive')`). Do not allow `archivePath` to be an arbitrary user-controlled path. Implement robust path sanitization to prevent directory traversal attacks (e.g., `../`). | LLM | lib/index.js:100 | |
| HIGH | CLI allows arbitrary file read/write via arguments The `scripts/cli.js` file implements a command-line interface for the context pruner. The `prune` command (function `pruneFile`) takes `inputPath` and `outputPath` directly from `process.argv`. It then uses `fs.readFileSync(inputPath, 'utf8')` and `fs.writeFileSync(outputPath, JSON.stringify(outputData, null, 2))` without any path validation or sanitization. This allows a user to specify arbitrary file paths on the system, potentially leading to reading sensitive files (data exfiltration) or overwriting/creating files in critical system locations (command injection). While this requires explicit execution of the CLI, it represents an excessive permission granted by the skill package. Implement strict path validation and sanitization for `inputPath` and `outputPath`. Restrict file operations to a designated, sandboxed directory. Ensure the agent cannot be coerced into invoking this CLI with untrusted arguments. Consider if this CLI functionality is truly necessary for the skill's operation within the agent environment. | LLM | scripts/cli.js:109 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ad2546/context-optimizer/lib/index.js:1750 | |
| MEDIUM | Unpinned npm dependency version Dependency 'tiktoken' is not pinned to an exact version ('^1.0.15'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ad2546/context-optimizer/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/ad2546/context-optimizer/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/7664feda7bf349b3)
Powered by SkillShield