Trust Assessment
project-tree received a trust score of 36/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Sensitive path access: AI agent config, Command Injection via execSync in Hook Handler.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via execSync in Hook Handler The `handler.ts` code, presented as part of the untrusted skill content within `SKILL.md`, utilizes `child_process.execSync` to execute a shell command. The command string `node ${scriptPath}` interpolates `scriptPath`, which is constructed using `event.context.workspaceDir`. If an attacker can manipulate the value of `event.context.workspaceDir` (e.g., by crafting a malicious skill installation path containing shell metacharacters), this could lead to arbitrary command execution on the host system. While `event.context.workspaceDir` is typically controlled by the platform, the use of `execSync` with string interpolation in untrusted code creates a direct and high-risk command injection vector. Replace `child_process.execSync` with `child_process.execFile` and pass the script path as a separate argument to prevent shell interpretation. For example, `execFile('node', [scriptPath], { cwd: event.context.workspaceDir, stdio: 'pipe' })`. Additionally, ensure that `event.context.workspaceDir` is strictly validated and sanitized by the platform before being used in command execution contexts. | LLM | SKILL.md:76 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/lachlanglasgow/project-tree/SKILL.md:57 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/lachlanglasgow/project-tree/SKILL.md:69 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/lachlanglasgow/project-tree/scripts/project-tree.js:61 |
Scan History
Embed Code
[](https://skillshield.io/report/3a3e1c097cb4f49d)
Powered by SkillShield