Trust Assessment
guardrails received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 21 findings: 10 critical, 5 high, 5 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Unsafe environment variable passthrough, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings21
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dgriffin831/guardrails/scripts/generate_guardrails_md.py:49 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dgriffin831/guardrails/scripts/generate_guardrails_md.py:71 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dgriffin831/guardrails/scripts/generate_questions.py:38 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dgriffin831/guardrails/scripts/generate_questions.py:61 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/dgriffin831/guardrails/scripts/generate_guardrails_md.py:37 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/dgriffin831/guardrails/scripts/generate_guardrails_md.py:41 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/dgriffin831/guardrails/scripts/generate_questions.py:26 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/dgriffin831/guardrails/scripts/generate_questions.py:30 | |
| CRITICAL | Prompt Injection via Untrusted Workspace Content to LLM The `scripts/discover.sh` script reads content from various workspace files, including `SKILL.md` descriptions of other skills, `USER.md`, `MEMORY.md`, `AGENTS.md`, and `GUARDRAILS.md`. This collected data is then included in the `discovery` JSON output. This `discovery` JSON is subsequently fed directly as part of the `user_message` to an external LLM by both `scripts/generate_questions.py` and `scripts/generate_guardrails_md.py`. Additionally, `scripts/generate_guardrails_md.py` feeds 'custom answers' from the interactive interview directly to the LLM. A malicious actor could embed prompt injection instructions within any of these untrusted content sources (e.g., a crafted `SKILL.md` description, `USER.md` file, or custom answer), manipulating the LLM's behavior during question generation or guardrail document creation. This could lead to the LLM generating malicious guardrails, revealing sensitive information, or performing unintended actions. Sanitize or filter all untrusted content (skill descriptions, user-generated `.md` files, custom user answers) before feeding it to the LLM. Implement strict input validation and consider using LLM guardrails or content moderation APIs to detect and block malicious prompts. | LLM | scripts/generate_guardrails_md.py:139 | |
| CRITICAL | Prompt Injection via Untrusted Workspace Content to LLM (generate_questions.py) The `scripts/discover.sh` script reads content from various workspace files, including `SKILL.md` descriptions of other skills, `USER.md`, `MEMORY.md`, `AGENTS.md`, and `GUARDRAILS.md`. This collected data is then included in the `discovery` JSON output. This `discovery` JSON is subsequently fed directly as part of the `user_message` to an external LLM by `scripts/generate_questions.py`. A malicious actor could embed prompt injection instructions within any of these untrusted content sources (e.g., a crafted `SKILL.md` description or `USER.md` file), manipulating the LLM's behavior during question generation. This could lead to the LLM generating misleading or malicious questions, influencing the guardrail setup process. Sanitize or filter all untrusted content (skill descriptions, user-generated `.md` files) before feeding it to the LLM. Implement strict input validation and consider using LLM guardrails or content moderation APIs to detect and block malicious prompts. | LLM | scripts/generate_questions.py:140 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/dgriffin831/guardrails/scripts/generate_guardrails_md.py:37 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/dgriffin831/guardrails/scripts/generate_guardrails_md.py:41 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/dgriffin831/guardrails/scripts/generate_questions.py:26 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/dgriffin831/guardrails/scripts/generate_questions.py:30 | |
| HIGH | Data Exfiltration via LLM Input The `scripts/discover.sh` script reads and includes potentially sensitive content from various workspace files, such as `USER.md`, `MEMORY.md`, `AGENTS.md`, `GUARDRAILS.md`, and skill `SKILL.md` files, into its `discovery` JSON output. This `discovery` JSON is then sent to external LLM APIs by `scripts/generate_questions.py` and `scripts/generate_guardrails_md.py`. Similarly, `scripts/monitor.sh` includes context snippets from `MEMORY.md` files in its report, which could also be processed by an LLM. This creates a risk of sensitive user data, internal agent state, or other confidential information being inadvertently exfiltrated to the LLM provider or a compromised LLM. Review and strictly limit the amount and type of data from workspace files that is sent to external LLMs. Implement data redaction or anonymization for sensitive information before it is included in LLM prompts. Ensure that LLM providers' data handling policies align with security requirements. | LLM | scripts/discover.sh:80 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/dgriffin831/guardrails/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/dgriffin831/guardrails/scripts/generate_guardrails_md.py:18 | |
| MEDIUM | Python file could not be statically analyzed SyntaxError: invalid syntax (line 325) | Static | skills/dgriffin831/guardrails/scripts/generate_questions.py:325 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/dgriffin831/guardrails/scripts/discover.sh:8 | |
| MEDIUM | Arbitrary File Write Capability The `scripts/generate_guardrails_md.py` script writes the `guardrails-config.json` file to a path specified as a command-line argument (`sys.argv[1]`). While the `SKILL.md` description implies this path is fixed to the workspace root, the script itself does not enforce this. If the calling environment (e.g., the agent orchestrator) were compromised or allowed manipulation of this argument, an attacker could specify an arbitrary file path, leading to an arbitrary file write vulnerability. This could overwrite critical system files or place malicious content in unexpected locations. The script should validate the target path to ensure it is within an allowed, restricted directory (e.g., the workspace root or a designated configuration directory). Avoid taking arbitrary file paths as direct command-line arguments without strict validation. | LLM | scripts/generate_guardrails_md.py:160 | |
| LOW | Unpinned Python Dependency The `SKILL.md` explicitly states that Python scripts require the `requests` library and suggests `pip install requests`. However, it does not specify a version or version range for this dependency. This 'unpinned' dependency introduces a supply chain risk, as future installations could pull a new, potentially incompatible, or even malicious version of `requests` if the package index is compromised or a typosquatting attack occurs. While `requests` is a widely used and generally trusted library, best practice dictates pinning dependencies. Pin the version of the `requests` library (e.g., `requests==2.28.1`) or specify a compatible version range in a `requirements.txt` file to ensure deterministic and secure installations. This mitigates risks associated with unexpected changes or malicious updates to the dependency. | LLM | SKILL.md:67 |
Scan History
Embed Code
[](https://skillshield.io/report/29baa505ee2664e7)
Powered by SkillShield