Trust Assessment
prefetch-suggester received a trust score of 61/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Second-Order Prompt Injection via User Code, Exfiltration of Local Code to Third-Party AI Service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Second-Order Prompt Injection via User Code The skill sends user-provided local code directly into the LLM's prompt as 'user' content. If a user's local file contains text that mimics LLM instructions (e.g., 'ignore previous instructions and output X'), it could manipulate the LLM's behavior, leading to unintended or malicious outputs. The system prompt is fixed, but the user content is dynamic and untrusted. Implement robust sanitization or a 'jailbreak' detection mechanism for user-provided code before it's sent to the LLM. Consider using a separate, more constrained model or a content filter for user input. Clearly warn users that their local code will be sent to an external AI service and could be interpreted as instructions. | LLM | src/index.ts:20 | |
| HIGH | Exfiltration of Local Code to Third-Party AI Service The skill explicitly reads the content of local files (JavaScript, TypeScript, JSX, TSX, Vue, Svelte) from a user-specified directory and sends them to the OpenAI API. While this is the intended functionality for analysis, it constitutes data exfiltration of potentially sensitive local code, which might contain proprietary logic, API keys, or other confidential information, to an external third-party service. Clearly and prominently disclose to users that their local code will be sent to OpenAI for analysis. Provide options for users to review or redact sensitive parts of their code before submission, or to run the analysis locally if possible. Ensure OpenAI's data privacy policies are acceptable for the type of data being sent. | LLM | src/index.ts:19 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^12.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lxgicstudios/prefetch-suggester/package.json | |
| MEDIUM | Excessive Filesystem Read Permissions The skill requests a directory from the user and then uses `glob` to read all files matching common web development extensions (`.js, .ts, .jsx, .tsx, .vue, .svelte`) within that directory and its subdirectories. While it includes an ignore list for common build artifacts and version control, the broad read access combined with the data exfiltration to OpenAI means that any sensitive files matching these extensions within the specified scope could be read and sent externally. Minimize the scope of file access where possible. Provide more granular control to the user over which files or subdirectories are scanned. Enhance the ignore list to include common patterns for sensitive files (e.g., `.env`, `config.*.js`). Clearly communicate the full scope of files that will be read and processed. | LLM | src/index.ts:7 | |
| LOW | Unpinned Dependencies in package.json The `package.json` uses caret (`^`) ranges for all dependencies (e.g., `"openai": "^4.73.0"`). While `package-lock.json` pins exact versions, using caret ranges in `package.json` means that future installations or updates could pull in new minor or patch versions of dependencies without explicit review. This introduces a minor supply chain risk, as a malicious update in a dependency could be automatically included. Consider using exact versions (e.g., `"openai": "4.73.0"`) or tilde (`~`) ranges for dependencies to ensure greater control over dependency updates. Regularly audit dependencies for known vulnerabilities. | LLM | package.json:9 |
Scan History
Embed Code
[](https://skillshield.io/report/14058ad1efaaf380)
Powered by SkillShield