Trust Assessment
gantt-chart received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, HTML Injection (XSS) via unsanitized input in `generate_html_gantt`, Arbitrary file write vulnerability in `export_to_excel`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | HTML Injection (XSS) via unsanitized input in `generate_html_gantt` The `generate_html_gantt` method directly inserts `self.project_name` and `task.name` into the generated HTML string without proper sanitization. If these values contain malicious HTML or JavaScript (e.g., `<script>alert('XSS')</script>`), it could lead to Cross-Site Scripting (XSS) when the HTML output is rendered in a web browser. This allows an attacker to execute arbitrary client-side scripts, potentially leading to data exfiltration, session hijacking, or defacement. Sanitize all user-controlled input (e.g., `project_name`, `task.name`) before inserting them into HTML. Use an HTML escaping utility (e.g., `html.escape` in Python) to convert special characters like `<`, `>`, `&`, `"`, `'` into their HTML entities. | LLM | SKILL.md:200 | |
| HIGH | Arbitrary file write vulnerability in `export_to_excel` The `export_to_excel` method directly uses the `output_path` argument to create an Excel file without any path validation or sanitization. An attacker could provide a malicious path (e.g., `/etc/passwd`, `C:\Windows\System32\evil.exe`, or a path outside the intended working directory) to write arbitrary Excel files to sensitive locations on the system where the skill is executed, potentially overwriting critical system files or placing malicious content. Implement strict validation and sanitization for `output_path`. Restrict file writes to a designated, sandboxed directory. Consider using a library that safely handles file paths or disallowing absolute paths. If possible, only allow filenames and prepend a secure base directory. | LLM | SKILL.md:260 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/gantt-chart/SKILL.md:1 | |
| MEDIUM | Mermaid Output Injection via unsanitized input in `generate_mermaid_gantt` The `generate_mermaid_gantt` method directly inserts `self.project_name` and `task.name` into the generated Mermaid diagram string. If these values contain Mermaid syntax control characters or directives, an attacker could manipulate the structure or content of the generated diagram, potentially leading to visual defacement or confusion. While not direct code execution, it can be used for visual prompt injection or to break the intended diagram. Sanitize user-controlled input (e.g., `project_name`, `task.name`) before inserting them into Mermaid syntax. This might involve escaping specific characters that have meaning in Mermaid, such as backticks, quotes, or special delimiters, or restricting input to a safe character set. | LLM | SKILL.md:160 |
Scan History
Embed Code
[](https://skillshield.io/report/ff4c54b95bb0e9d5)
Powered by SkillShield