Trust Assessment
identity-anchor received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary File Hashing and Filename Disclosure, Configurable Workspace Allows Broad File Access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Hashing and Filename Disclosure The `identity.py` script allows an attacker to specify arbitrary files for hashing via the `--files` command-line argument. The script then reads the content of these specified files and, critically, returns the *names* of the hashed files in the output of the `sign` and `verify` commands. Additionally, the `history` command exposes all previously hashed filenames stored in `fingerprints.jsonl`. This enables an attacker to exfiltrate the existence and paths of sensitive files (e.g., `.env`, configuration files, secret files) from the agent's filesystem by instructing the agent to hash them. While the file *content* is not directly exfiltrated, the knowledge of file existence and location is a significant information leak. 1. **Restrict file paths**: Modify the `_create_fingerprint` and `_hash_file` methods to only accept a predefined, allow-listed set of filenames (e.g., `SOUL.md`, `IDENTITY.md`, `MEMORY.md`). If user-defined files are absolutely necessary, implement strict path validation to prevent directory traversal (`..`), absolute paths, and symlinks, ensuring all files are strictly within the designated `workspace` and are not sensitive system files. 2. **Redact filenames from output**: Remove `files_hashed` from the return values of `sign` and `verify` commands. The agent should not be told the names of files it just hashed if those names came from untrusted input. 3. **Redact filenames from history**: The `history` command should redact or restrict the filenames it returns, especially if they were user-provided. Only hashes should be returned, or a hash of the list of filenames, not the individual names. | LLM | scripts/identity.py:200 | |
| MEDIUM | Configurable Workspace Allows Broad File Access The `identity.py` script allows the `--workspace` argument to be set to an arbitrary path. While the default is `Path.cwd()`, an attacker could use prompt injection to instruct the agent to set the workspace to a sensitive directory (e.g., `/`, `/etc`, `/var/log`) and then combine this with the arbitrary file hashing vulnerability to enumerate files in those directories. Although the script attempts to operate within a `workspace`, the lack of validation on the `--workspace` argument itself means the agent could be directed to operate on files outside its intended operational scope. 1. **Validate workspace path**: Implement strict validation for the `--workspace` argument. Ensure it points to a directory within the agent's allowed operational sandbox or a known safe location. Prevent setting the workspace to root directories, system directories, or directories outside the agent's designated skill execution environment. 2. **Principle of Least Privilege**: Re-evaluate if the `--workspace` argument is truly necessary or if the skill should always operate relative to its own skill directory or a tightly controlled data directory. | LLM | scripts/identity.py:197 |
Scan History
Embed Code
[](https://skillshield.io/report/9a9fcdf76dafdcc0)
Powered by SkillShield