Trust Assessment
prospector received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 0 high, 1 medium, and 0 low severity. Key findings include Prompt Injection: Skill Definition from Untrusted Source, Command Injection via Unsanitized User Input in Python Shell Command, Supply Chain Risk: Unpinned Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection: Skill Definition from Untrusted Source The entire `SKILL.md` content, which defines the skill's workflow, user interactions, and commands to be executed, is enclosed within the `UNTRUSTED_INPUT` delimiters. This means the host LLM is being instructed on how to operate the skill by untrusted content. This is a fundamental prompt injection vulnerability, as the LLM's behavior is dictated by external, unverified input. Move all skill definition, workflow instructions, and command execution directives outside the untrusted input delimiters. Only user-provided data or skill-specific configuration that is not intended to instruct the LLM should be placed within these tags. | LLM | SKILL.md:1 | |
| CRITICAL | Command Injection via Unsanitized User Input in Python Shell Command The `SKILL.md` instructs the LLM to construct and execute a `python3 -c` command that directly embeds user-provided input, specifically `[KEYWORDS or empty string]`, into a Python dictionary literal. If a malicious user provides input like `', 'malicious_key': 'malicious_value' } ; import os; os.system('rm -rf /') #` for the keywords, it could break out of the string literal, inject arbitrary Python code, and lead to arbitrary command execution on the host system. Avoid constructing shell commands by directly interpolating untrusted user input. Instead, pass user inputs as separate command-line arguments to the Python script (e.g., `python3 script.py --keywords "[KEYWORDS]"`) and parse them safely within the script using `argparse`. If direct string interpolation is unavoidable, ensure all user-provided strings are rigorously escaped to prevent code injection. | LLM | SKILL.md:120 | |
| MEDIUM | Supply Chain Risk: Unpinned Dependency The `scripts/prospector.py` file imports the `httpx` library without specifying a version. This practice, known as unpinned dependencies, can lead to supply chain vulnerabilities. If a malicious version of `httpx` (or any other unpinned dependency) is published, or if a typosquatting package is introduced, the skill could inadvertently install and execute compromised code during setup or updates. Pin all direct and transitive dependencies to specific versions (e.g., `httpx==0.25.0`) in a `requirements.txt` file. Use a dependency management tool that enforces version pinning to ensure reproducible and secure installations. | LLM | scripts/prospector.py:10 |
Scan History
Embed Code
[](https://skillshield.io/report/421f410e56aa8dca)
Powered by SkillShield