Trust Assessment
landing-page-generator received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unsanitized user input leads to Cross-Site Scripting (XSS) in generated HTML.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsanitized user input leads to Cross-Site Scripting (XSS) in generated HTML The `generate_html_landing_page` function in `scripts/generate_landing.py` constructs HTML content by directly embedding user-supplied command-line arguments (e.g., `headline`, `product`, `benefits`, `features`, `cta`, `guarantee`, `urgency`, `subheadline`) without proper sanitization or HTML escaping. This allows for Cross-Site Scripting (XSS) attacks. An attacker providing malicious input (e.g., `<script>alert('XSS')</script>`) to these parameters would have their script executed when the generated HTML file is opened in a web browser. This vulnerability affects all parameters that are directly inserted into the HTML output. Implement HTML escaping for all user-supplied input before embedding it into the HTML output. Use a library like `html.escape` from Python's standard library for this purpose. For example, replace `{headline}` with `{html.escape(headline)}` and apply this to all other user-controlled variables used in HTML generation. | LLM | scripts/generate_landing.py:100 |
Scan History
Embed Code
[](https://skillshield.io/report/e2ed04c632a82a94)
Powered by SkillShield