Trust Assessment
recraft received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 4 findings: 0 critical, 0 high, 4 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Suspicious import: requests, Path Traversal Vulnerability in File Operations.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/nkrcrft/recraft-ai/scripts/recraft.py:259 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/nkrcrft/recraft-ai/scripts/recraft.py:29 | |
| MEDIUM | Path Traversal Vulnerability in File Operations The script directly uses user-provided arguments for file paths (`--input` and `--filename`) without sanitization or validation. An attacker could use path traversal sequences (e.g., `../../`) in these arguments to read or write files outside the intended skill directory. For example, `--input ../../../../etc/passwd` could attempt to read system files, or `--filename ../../../../tmp/malicious.png` could write to arbitrary locations. Validate user-provided file paths (`args.input`, `args.filename`) to ensure they are within an allowed directory or do not contain path traversal sequences. Use `pathlib.Path.resolve()` and check if the resolved path is a subpath of a designated safe directory, or use `os.path.abspath()` and `os.path.commonprefix()` to enforce boundaries. | LLM | scripts/recraft.py:128 | |
| MEDIUM | Path Traversal Vulnerability in File Operations The script directly uses user-provided arguments for file paths (`--input` and `--filename`) without sanitization or validation. An attacker could use path traversal sequences (e.g., `../../`) in these arguments to read or write files outside the intended skill directory. For example, `--input ../../../../etc/passwd` could attempt to read system files, or `--filename ../../../../tmp/malicious.png` could write to arbitrary locations. Validate user-provided file paths (`args.input`, `args.filename`) to ensure they are within an allowed directory or do not contain path traversal sequences. Use `pathlib.Path.resolve()` and check if the resolved path is a subpath of a designated safe directory, or use `os.path.abspath()` and `os.path.commonprefix()` to enforce boundaries. | LLM | scripts/recraft.py:100 |
Scan History
Embed Code
[](https://skillshield.io/report/1eceac246f4d7453)
Powered by SkillShield