Trust Assessment
frontend-design-ultimate received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 11 findings: 0 critical, 11 high, 0 medium, and 0 low severity. Key findings include Command Injection via unvalidated project name in initialization scripts, Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via unvalidated project name in initialization scripts The `init-nextjs.sh` and `init-vite.sh` scripts directly interpolate the `$PROJECT_NAME` argument into `npx create-next-app` and `npm create vite` commands. While double quotes prevent simple word splitting, they do not prevent command substitution (e.g., `$(malicious_command)`). An attacker providing a malicious project name could execute arbitrary commands on the user's system when these scripts are run, leading to potential system compromise. Sanitize the `$PROJECT_NAME` argument to ensure it only contains valid characters for a directory name, or use a more robust method to pass arguments that prevents shell interpretation (e.g., explicitly checking for shell metacharacters like `$` or backticks and exiting if found). | LLM | scripts/init-nextjs.sh:20 | |
| HIGH | Command Injection via unvalidated project name in initialization scripts The `init-nextjs.sh` and `init-vite.sh` scripts directly interpolate the `$PROJECT_NAME` argument into `npx create-next-app` and `npm create vite` commands. While double quotes prevent simple word splitting, they do not prevent command substitution (e.g., `$(malicious_command)`). An attacker providing a malicious project name could execute arbitrary commands on the user's system when these scripts are run, leading to potential system compromise. Sanitize the `$PROJECT_NAME` argument to ensure it only contains valid characters for a directory name, or use a more robust method to pass arguments that prevents shell interpretation (e.g., explicitly checking for shell metacharacters like `$` or backticks and exiting if found). | LLM | scripts/init-vite.sh:19 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install parcel@^2.10.0`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/bundle-artifact.sh:20 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install framer-motion@^10.16.4`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/init-nextjs.sh:30 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install framer-motion@^10.16.4`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/init-nextjs.sh:34 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install framer-motion@^10.16.4`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/init-nextjs.sh:38 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install tailwindcss@^3.3.3`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/init-vite.sh:27 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install framer-motion@^10.16.4`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/init-vite.sh:30 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install tailwindcss-animate@^1.0.7`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/init-vite.sh:33 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install lucide-react@^0.292.0`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/init-vite.sh:34 | |
| HIGH | Supply Chain Risk: Unpinned dependencies in initialization and bundling scripts The `init-nextjs.sh`, `init-vite.sh`, and `bundle-artifact.sh` scripts use `npm install` and `npx` commands without specifying exact package versions (e.g., `npm install framer-motion` instead of `npm install framer-motion@^6.0.0`). This means the latest available version of each package will be pulled. If a package maintainer pushes a malicious update, or if a package's registry is compromised, users running these scripts could unknowingly install compromised software, leading to supply chain attacks. Specify exact or semver-pinned versions for all installed packages (e.g., `npm install @radix-ui/react-slot@^1.0.2`). For `npx` commands, use `npx <package>@<version>`. | LLM | scripts/init-vite.sh:35 |
Scan History
Embed Code
[](https://skillshield.io/report/8e8983aa8e9a49ea)
Powered by SkillShield