Trust Assessment
project-code-builder received a trust score of 36/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 0 critical, 3 high, 3 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/chleya/project-code-builder/src/workflows/orchestrator.js:216 | |
| HIGH | Potential for Prompt Injection via user input The skill is designed to accept natural language instructions from users to drive code generation, project planning, and execution. Examples in `SKILL.md` demonstrate users providing direct instructions to the underlying LLM (e.g., "Output only JSON structure, no explanations.", "Complete in max 3 steps"). This inherent design makes the skill susceptible to prompt injection attacks where a malicious user could craft input to manipulate the LLM's behavior, extract sensitive information, or generate unintended code/actions. While no explicit 'ignore previous instructions' is found, the mechanism for such an attack is clearly present, and the skill's core functionality relies on interpreting user prompts. Implement robust input sanitization and validation for all user-provided prompts. Use a separate, hardened LLM for interpreting user commands versus generating code. Employ techniques like instruction-following models, input/output filtering, and privilege separation for LLM interactions. Clearly define the boundaries of what the LLM can and cannot do based on user input. | LLM | SKILL.md:98 | |
| HIGH | Command Injection risk through unsanitized user input in file path creation The `createWorkDirectory` function in `src/workflows/orchestrator.js` constructs a temporary directory path using `projectId` (e.g., `/tmp/project-code-builder/${projectId}_${Date.now()}`). If `projectId` is derived from unsanitized user input, an attacker could inject path traversal sequences (e.g., `../`) to create directories or files outside the intended temporary directory, potentially overwriting critical system files or exfiltrating data by writing to accessible locations. Although the current implementation returns a 'simulated path', the comment '这里应该创建实际的工作目录' indicates this will eventually involve filesystem operations. Ensure that `params.projectId` is strictly validated and sanitized to prevent path traversal characters (e.g., `../`, `/`, `\`) before being used to construct file or directory paths. Use a library function that safely creates temporary directories or sanitizes path components. | LLM | src/workflows/orchestrator.js:109 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/chleya/project-code-builder/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency '@octokit/rest' is not pinned to an exact version ('^20.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/chleya/project-code-builder/package.json | |
| MEDIUM | Potential for Command Injection via direct shell commands in user prompts The `SKILL.md` documentation includes an example of a user prompt containing a direct shell command: `git push && gh pr create`. If the underlying LLM or execution environment directly interprets and executes such user-provided strings as shell commands without proper sanitization or sandboxing, it creates a critical command injection vulnerability. An attacker could craft malicious shell commands to execute arbitrary code on the host system. Ensure that any user input intended for command execution is strictly validated against an allow-list of safe commands and arguments. Avoid direct execution of arbitrary user-provided strings as shell commands. Implement a secure command execution mechanism that uses a sandbox or a highly restricted environment, and explicitly separates command arguments from the command itself. | LLM | SKILL.md:178 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/chleya/project-code-builder/package.json | |
| LOW | Unpinned dependencies in package.json The `package.json` file uses caret (`^`) ranges for dependencies (e.g., `"@octokit/rest": "^20.0.0"`). While this allows for minor and patch updates, it means that new versions of dependencies could be installed automatically without explicit review. A malicious update to a minor version of a dependency could introduce vulnerabilities or unwanted behavior. This is a common practice but increases supply chain risk compared to exact pinning. Consider pinning dependencies to exact versions (e.g., `"@octokit/rest": "20.0.0"`) or using a lock file (`package-lock.json` or `yarn.lock`) to ensure deterministic builds and prevent unexpected dependency updates. Regularly audit and update dependencies to mitigate known vulnerabilities. | LLM | package.json:14 |
Scan History
Embed Code
[](https://skillshield.io/report/865fa7f130ba6572)
Powered by SkillShield