Trust Assessment
emotion-state received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Second-order prompt injection via emotion classification reason, Sensitive message content sent to external emotion classifier.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Second-order prompt injection via emotion classification reason The skill classifies user and agent messages using an external LLM (OpenAI or a custom `EMOTION_CLASSIFIER_URL`). The `reason` for the inferred emotion, generated by this external LLM, is then directly injected into the main system prompt without sanitization. A malicious user could craft their input messages to induce the emotion classifier LLM to output a prompt injection payload as the `reason`. This payload would then manipulate the main LLM's behavior, potentially leading to unauthorized actions or information disclosure. Implement robust sanitization or escaping of LLM-generated `reason` before injecting it into the main system prompt. Consider using a structured output format for the `reason` that limits its expressive power, or a separate LLM call to rephrase the reason in a safe, non-instructive manner. The `ensureSentence` function does not provide sufficient sanitization against prompt injection. | LLM | hooks/emotion-state/handler.ts:470 | |
| HIGH | Sensitive message content sent to external emotion classifier The skill sends the full content of user and agent messages to an external emotion classification service. This service can be either OpenAI's API or a custom endpoint specified by the `EMOTION_CLASSIFIER_URL` environment variable. If `EMOTION_CLASSIFIER_URL` is configured to a malicious or untrusted server, all conversation history (including potentially sensitive user and agent messages) could be exfiltrated. Even when using OpenAI, users should be explicitly aware that their data is being processed by a third-party service. 1. **Transparency:** Clearly inform users that their conversation data will be sent to an external service for emotion classification. 2. **Consent:** Implement a mechanism for users to explicitly consent to this data transfer. 3. **Data Minimization:** Evaluate if the entire message content is strictly necessary, or if a summarized/redacted version could suffice for classification. 4. **Trusted Endpoints:** Strongly advise users to only configure `EMOTION_CLASSIFIER_URL` to trusted and secure services. 5. **Access Control:** If possible, ensure the external endpoint requires authentication. | LLM | hooks/emotion-state/handler.ts:370 |
Scan History
Embed Code
[](https://skillshield.io/report/e5941414826bd780)
Powered by SkillShield