Trust Assessment
device-assistant received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Path Traversal in Cache File Naming.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal in Cache File Naming The `search_error_code` function constructs a `cache_key` from user-controlled inputs (`manufacturer`, `model`, `error_code`). This `cache_key` is then used directly to form a filename for caching search results. The sanitization applied (`tr ' ' '-' | tr '[:upper:]' '[:lower:]'`) is insufficient to prevent path traversal characters (e.g., `/`, `..`) from being included in the filename. An attacker could craft input like `manufacturer=../../../../tmp/evil` to write files outside the intended `$CACHE_DIR`, potentially overwriting critical system files or creating files in sensitive locations, which can lead to data corruption or arbitrary code execution. Implement robust sanitization for `cache_key` to restrict it to safe characters (e.g., alphanumeric, hyphens only) or use a cryptographic hash of the input as the filename to prevent path traversal. For example, `cache_key=$(echo -n "${manufacturer}-${model}-${error_code}" | sha256sum | head -c 32)`. | LLM | scripts/handler.sh:70 |
Scan History
Embed Code
[](https://skillshield.io/report/5678feb9cade8f75)
Powered by SkillShield