Trust Assessment
personas received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Subagent prompt injection via persona content or user message, Path traversal vulnerability in persona creation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Subagent prompt injection via persona content or user message The subagent's prompt is constructed by directly embedding the contents of `SOUL.md`, `PERSONALITY.md`, `MEMORY.md`, and the `user_message` without any apparent sanitization or escaping. A malicious user could craft these inputs (either by creating a malicious persona or sending a crafted user message) to inject new instructions into the subagent's prompt, overriding its intended behavior, extracting information, or attempting to bypass its stated restrictions. Implement robust input sanitization and escaping for all user-controlled content (`SOUL.md`, `PERSONALITY.md`, `MEMORY.md`, `user_message`) before embedding them into the subagent's prompt. Consider using a templating engine that automatically escapes variables or explicitly define prompt boundaries that are difficult to break out of. For `user_message`, prefer using a dedicated `user` role in a chat-based prompt structure rather than direct string interpolation. | LLM | SKILL.md:39 | |
| HIGH | Path traversal vulnerability in persona creation The 'Create a persona' command instructs the system to create a folder `profiles/<name>/`. If the `<name>` input is directly taken from user input without proper sanitization, a malicious user could provide a path traversal sequence (e.g., `../`, `../../`) to create directories or files outside the intended `profiles/` directory. This could lead to arbitrary file creation, overwriting existing files, or potentially executing commands if the underlying file system operation is vulnerable to shell injection. Strictly validate and sanitize the `<name>` input to ensure it only contains allowed characters (e.g., alphanumeric, hyphens, underscores) and does not contain path separators (`/`, `\`) or path traversal sequences (`..`). Ensure that the underlying file system API used to create the folder is robust against command injection and path traversal. | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/695bfb22a5fa33d6)
Powered by SkillShield