Trust Assessment
flow received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 3 critical, 3 high, 8 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Unpinned Python dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bvinci1-design/flow/skill_scanner_integration.py:50 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bvinci1-design/flow/skill_scanner_integration.py:51 | |
| CRITICAL | Arbitrary Code Execution via Malicious Skill Name in Generated Imports The `SkillComposer._generate_skill_code` function generates Python import statements using string interpolation: `f' from {skill_module_name} import {skill_class_name}'`. The `skill_module_name` and `skill_class_name` are derived from `skill.name`, which is loaded from the `skill_registry.json` file. If the `skill_registry.json` is compromised, an attacker could register a skill with a malicious `name` (e.g., `__import__('os').system('rm -rf /')`). When the generated Python file is executed, this crafted import statement would lead to arbitrary code execution. This represents a critical supply chain risk if the registry is not adequately secured. Validate and sanitize `skill.name` before using it to construct import statements. Ensure `skill.name` adheres to valid Python module/class naming conventions and does not contain any characters that could lead to code injection. Consider using a safer mechanism for loading components, such as a whitelist of allowed module names or a sandboxed execution environment. | LLM | skill_composer.py:146 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bvinci1-design/flow/streamlit_ui.py:286 | |
| HIGH | Path Traversal in Generated Skill Filename The `SkillComposer._generate_skill_code` function constructs the output filename using `os.path.join(self.output_directory, f'{name}.py')`. The `name` variable is derived from `intent.suggested_name` or `intent.primary_action`, which originate from untrusted user input. If the user input contains path traversal sequences (e.g., `../../`), an attacker could craft a request to write the generated skill file to an arbitrary location outside the intended `output_directory`. For example, `intent.primary_action = 'build a skill ../../etc/malicious'` could lead to writing a file at `/etc/malicious.py`. Sanitize the `name` variable to remove or escape any path traversal characters (e.g., `.` or `/`) before using it in `os.path.join`. A common approach is to use `re.sub(r'[^\w.-]', '_', name)` to replace non-alphanumeric characters with underscores. | LLM | skill_composer.py:106 | |
| HIGH | Arbitrary File Read by Security Scanner via Compromised Skill Registry The `SkillScannerIntegration.scan` method takes a `path` argument, which is derived from `SkillMetadata.path` loaded from `skill_registry.json`. If the `skill_registry.json` file is compromised, an attacker could modify `SkillMetadata.path` to point to sensitive system files (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`). The `_scan_file` method then proceeds to open and read the content of this arbitrary file. While the scanner's purpose is to read code, allowing it to read any file specified by a potentially untrusted registry constitutes an excessive permission and a data exfiltration risk if the scanner's output (containing the file content) is exposed. Implement strict validation and sanitization of `SkillMetadata.path` to ensure it only points to files within an allowed, sandboxed skill directory. Do not allow `..` or absolute paths outside the designated skill storage. Ensure the `skill_registry.json` file itself is protected with appropriate access controls. | LLM | skill_scanner_integration.py:140 | |
| MEDIUM | Unpinned Python dependency version Requirement 'streamlit>=1.28.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bvinci1-design/flow/requirements.txt:4 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pandas>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bvinci1-design/flow/requirements.txt:5 | |
| MEDIUM | Unpinned Python dependency version Requirement 'nltk>=3.8.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bvinci1-design/flow/requirements.txt:8 | |
| MEDIUM | Unpinned Python dependency version Requirement 'spacy>=3.6.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bvinci1-design/flow/requirements.txt:9 | |
| MEDIUM | Unpinned Python dependency version Requirement 'bandit>=1.7.5' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bvinci1-design/flow/requirements.txt:12 | |
| MEDIUM | Unpinned Python dependency version Requirement 'safety>=2.3.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bvinci1-design/flow/requirements.txt:13 | |
| MEDIUM | Unpinned Python dependency version Requirement 'ast-grep>=0.12.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bvinci1-design/flow/requirements.txt:16 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pylint>=2.17.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bvinci1-design/flow/requirements.txt:17 | |
| INFO | Unpinned Dependencies in requirements.txt The `requirements.txt` file uses `>=` for dependency versions (e.g., `streamlit>=1.28.0`). While this allows for patch and minor version updates, it introduces a slight supply chain risk. If a malicious update is pushed to a later version of a dependency within the allowed range, it could be automatically installed, potentially introducing vulnerabilities or backdoors. For maximum security and reproducibility, strict pinning (`==`) is generally recommended. Pin all dependencies to exact versions using `==` (e.g., `streamlit==1.28.0`). Regularly audit and update these pinned versions after verifying their integrity and security. | LLM | requirements.txt:2 |
Scan History
Embed Code
[](https://skillshield.io/report/ec5258dc4b151e6f)
Powered by SkillShield