Trust Assessment
neo received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Prompt injection via user-controlled module content, Arbitrary file deletion via path traversal in `neo delete`, Arbitrary file write via path traversal in `update.py`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt injection via user-controlled module content The `neo <module>` command, implemented by the `cmd_inject` function in `scripts/neo.py`, reads the content of a module file and prints it to standard output. This output is intended to be loaded directly into the LLM's context. Since users can create new modules via `neo create <description>` (as described in SKILL.md) or modify custom modules, they can embed malicious instructions or data within these module files. When the LLM loads such a module, these instructions will be executed, potentially leading to prompt injection attacks, data exfiltration, or other unauthorized actions by the LLM. Implement strict sanitization or sandboxing of module content before it is fed into the LLM's context. Consider using a dedicated parsing mechanism that extracts only structured data, rather than directly injecting raw file content. If raw content must be injected, it should be treated as untrusted data and clearly delimited or escaped to prevent it from being interpreted as instructions by the LLM. | LLM | scripts/neo.py:190 | |
| HIGH | Arbitrary file deletion via path traversal in `neo delete` The `neo delete <module>` command, implemented by the `cmd_delete` function in `scripts/neo.py`, allows a user to specify a module name. This module name is used to construct a file path (`LIBRARY_DIR / registry["modules"][module].get("path", f"{module}.md")`) which is then deleted using `mod_path.unlink()`. The `SKILL.md` indicates that module names and paths can be influenced by user input during module creation (`neo create <description>`). If a malicious user creates a module with a name or path containing path traversal sequences (e.g., `../../../../etc/passwd`), they could delete arbitrary files outside the skill's intended library directory. Sanitize module names and paths to prevent path traversal. Ensure that module names do not contain characters like `/`, `..`, or `\` and that the constructed `mod_path` is strictly confined to the `LIBRARY_DIR` before any file operations. | LLM | scripts/neo.py:163 | |
| HIGH | Arbitrary file write via path traversal in `update.py` The `scripts/update.py` script's `merge_registries` function uses `shutil.copy2(upstream_path, local_path)` to copy module files. The `local_path` is constructed using `local_lib_path / upstream_mod.get('path', f'{mid}.md')`. The `path` field for a module in `registry.json` can be influenced by user-created modules (as described in SKILL.md for `neo create`). If a malicious user creates a module with a `path` containing path traversal sequences (e.g., `../../../../etc/malicious_config.txt`), the `update.py` script could be tricked into writing files to arbitrary locations outside the skill's intended library directory during an update operation. Sanitize module paths stored in `registry.json` and used in `update.py` to prevent path traversal. Ensure that paths are strictly confined to the `LIBRARY_DIR` and do not contain characters like `/`, `..`, or `\`. | LLM | scripts/update.py:71 |
Scan History
Embed Code
[](https://skillshield.io/report/0ca84219ef99d1d7)
Powered by SkillShield