Trust Assessment
monorepo-gen received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Unpinned dependencies in package.json, User-controlled package.json content sent to LLM.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary file write vulnerability via LLM-generated paths The skill constructs file paths for writing by joining a user-specified base directory (`dir`) with `filePath` values provided directly by the LLM's response. The `path.join` function does not prevent directory traversal if the `filePath` itself contains `../` sequences. A malicious actor could craft a prompt injection (e.g., via the `package.json` content sent to the LLM) to instruct the LLM to generate `filePath` values like `../../../../etc/passwd` or `../../../../.ssh/authorized_keys`. The skill would then attempt to write to these arbitrary system locations, potentially overwriting critical system files or injecting malicious content. Implement robust validation and sanitization of `filePath` values received from the LLM. Before calling `path.join`, ensure that `filePath` does not contain directory traversal sequences (`../`) and that the resulting `fullPath` remains strictly within the intended target directory. A common approach is to resolve the `fullPath` and then verify that it is a child path of the resolved `dir` (e.g., `!fullPath.startsWith(dir + path.sep)` or similar checks). Alternatively, restrict the LLM's output to only allow specific, safe file names or relative paths that do not contain traversal characters. | LLM | src/index.ts:29 | |
| HIGH | User-controlled package.json content sent to LLM The skill reads the `package.json` file from a user-specified directory (`dir`) and includes its content directly in the prompt sent to the OpenAI API. This poses two risks:
1. **Data Exfiltration**: Sensitive or proprietary information present in the `package.json` (e.g., internal package names, private registry URLs, specific build commands) could be inadvertently sent to an external LLM service.
2. **Prompt Injection**: A malicious user could craft a `package.json` file containing instructions designed to manipulate the LLM's behavior, potentially overriding its system prompt or extracting information. Although the LLM is constrained to JSON output, the content of the `package.json` could still influence the generated structure or attempt to reveal parts of the system prompt. Implement robust sanitization or filtering of any user-controlled input before including it in the LLM prompt. Consider if the entire `package.json` content is strictly necessary for the LLM's task, and if not, only send relevant, non-sensitive parts. Explicitly instruct the LLM to ignore any instructions found within the `package.json` context. | LLM | src/index.ts:9 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^12.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lxgicstudios/monorepo-gen/package.json | |
| LOW | Unpinned dependencies in package.json The `package.json` file specifies dependencies using caret (`^`) ranges, which allows for minor and patch version updates. While `package-lock.json` pins exact versions, a fresh install without the lock file (e.g., in a CI/CD environment or if the lock file is ignored) could pull in newer, potentially vulnerable versions of dependencies. This increases the risk of supply chain attacks if a dependency introduces malicious code in a new version. Pin all dependencies to exact versions using `npm install --save-exact` or by manually removing `^` or `~` from version numbers in `package.json`. Ensure `package-lock.json` is always committed and used in deployment. | LLM | package.json:8 |
Scan History
Embed Code
[](https://skillshield.io/report/9ca1b5927ddf78df)
Powered by SkillShield