Trust Assessment
proactive-messages received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Prompt Injection via untrusted context in scheduled messages, Broad access to sensitive user data (calendar, email, conversation history).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Prompt Injection via untrusted context in scheduled messages The skill schedules proactive messages using a cron job template. The `payload.message` field includes a `Context: [what this is about]` placeholder. This context is derived from untrusted sources such as user conversations, calendar events, or email content. An attacker could craft malicious input in these sources (e.g., a calendar event title, an email subject/body, or a conversational phrase) to inject instructions into the LLM responsible for generating the proactive message. This could lead to the LLM ignoring safety instructions, generating unintended content, or attempting to exfiltrate information. Implement robust input sanitization and validation for all data used to populate the `[what this is about]` context. Consider using a separate, isolated LLM call for context extraction that is then passed to the message generation LLM as a structured, sanitized variable, rather than directly embedding raw untrusted text into the final prompt. Alternatively, use a templating system that strictly separates instructions from data. | LLM | SKILL.md:80 | |
| MEDIUM | Broad access to sensitive user data (calendar, email, conversation history) The skill explicitly instructs the agent to access and review the user's calendar, email, and conversation history as part of its daily scan. While this access is fundamental to the skill's functionality, the description implies broad read permissions across these highly sensitive data sources. This broad access increases the attack surface and the potential impact of other vulnerabilities (e.g., if a prompt injection were to successfully exfiltrate data from these sources). The skill does not specify any limitations on the scope of this access (e.g., read-only, specific folders, timeframes beyond 'today + next 2-3 days' for calendar). If possible, specify and enforce the minimum necessary permissions (e.g., read-only access, specific calendar/email folders, limited historical conversation data). Clearly document the scope of data access to users. Ensure that any data extracted from these sources is strictly sanitized before being used in LLM prompts or other sensitive operations. | LLM | SKILL.md:115 |
Scan History
Embed Code
[](https://skillshield.io/report/288805aed8891811)
Powered by SkillShield