Trust Assessment
cwicr-multilingual received a trust score of 74/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary file loading via load_database, Regular Expression Denial of Service (ReDoS) vulnerability.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file loading via load_database The `load_database` method in the `CWICRMultilingual` class accepts an arbitrary `file_path` string as input and passes it directly to `pandas.read_parquet`, `pandas.read_excel`, or `pandas.read_csv`. This allows an attacker to specify any file path on the system, potentially leading to data exfiltration (reading sensitive files like `/etc/passwd` or application configuration) or denial of service (loading very large files that consume excessive memory or CPU). There is no validation or sanitization of the `file_path` argument. Implement strict validation and sanitization of the `file_path` argument. Only allow loading from a predefined, safe directory, or restrict file extensions and content. Consider using a file picker or a whitelist of allowed files/paths instead of arbitrary string input. If files must be loaded from user input, ensure they are uploaded to a secure, isolated storage and referenced by an ID, not a direct path. | LLM | SKILL.md:103 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/cwicr-multilingual/SKILL.md:1 | |
| MEDIUM | Regular Expression Denial of Service (ReDoS) vulnerability The `cross_language_search` method in the `CWICRMultilingual` class uses the user-controlled `query` string directly in `source_df['description'].str.contains(query, ...)`. Pandas `str.contains` uses regular expressions by default. A malicious `query` crafted as a 'catastrophic backtracking' regex could consume excessive CPU resources, leading to a Denial of Service (DoS) for the skill or the underlying system by causing the regex engine to hang. To mitigate ReDoS: 1. If simple substring matching is sufficient, set `regex=False` in `str.contains`. 2. If regex is required, implement a timeout for regex operations or use a safer regex engine/library that mitigates ReDoS. 3. Sanitize or validate user-provided `query` strings to prevent known ReDoS patterns. | LLM | SKILL.md:210 |
Scan History
Embed Code
[](https://skillshield.io/report/5334980273fd37d0)
Powered by SkillShield