Trust Assessment
cwicr-escalation received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary File Write via export_escalation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Write via export_escalation The `export_escalation` method takes an `output_path` string argument and uses it directly with `pd.ExcelWriter` to create a file. If an attacker can control the `output_path` parameter, they could write an Excel file to an arbitrary location on the filesystem. This could lead to overwriting critical system files, writing to sensitive directories, or creating files in unexpected locations, potentially causing denial of service, data corruption, or aiding in further attacks. Implement strict validation and sanitization for the `output_path` parameter. Ensure that the path is within an allowed, sandboxed directory and prevent directory traversal (e.g., `../`). Consider using a temporary file or a predefined output directory for all exports. | LLM | SKILL.md:235 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/cwicr-escalation/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/610a649ece074690)
Powered by SkillShield