Trust Assessment
reflect received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Dangerous tool allowed: Bash, Excessive 'Bash' permission declared, enabling Command Injection and Data Exfiltration, Broad filesystem access permissions declared.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive 'Bash' permission declared, enabling Command Injection and Data Exfiltration The skill explicitly declares 'Bash' as an allowed tool in its manifest. This grants the skill the ability to execute arbitrary shell commands, which is a severe security risk. The skill's workflow, as described in `SKILL.md`, includes actions like 'Commit with descriptive message' (line 109). This action typically involves shell commands (e.g., `git commit`). If user-provided input (such as the commit message or extracted learning content) is not rigorously sanitized before being passed to a `Bash` command, it creates a direct path for command injection. Furthermore, the combination of 'Bash' with 'Read' permission allows for reading any accessible file and exfiltrating its contents. For a 'reflection' skill, direct `Bash` access is rarely justifiable and poses an unacceptable risk. Remove 'Bash' from the 'allowed-tools' list. If specific shell functionalities are required (e.g., Git operations), consider using more constrained, purpose-built tools or APIs that do not expose raw shell execution. If 'Bash' is absolutely unavoidable, implement stringent input sanitization and validation for all user-provided data used in shell commands. | LLM | Manifest (frontmatter JSON) | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | skills/stevengonsalvez/agent-reflect/SKILL.md:1 | |
| HIGH | Broad filesystem access permissions declared The skill declares 'Read', 'Write', 'Edit', 'Grep', and 'Glob' as allowed tools. While the skill's stated purpose involves analyzing conversations and updating agent definition files and reflection logs (e.g., '.claude/reflections/', '~/.reflect/'), these tools grant broad access to the entire filesystem. This level of access is excessive for a skill focused on 'reflection' and 'self-improvement'. It could be misused to read, modify, or delete sensitive files outside the intended scope, potentially leading to data tampering or unauthorized information disclosure. Review and narrow down filesystem permissions. If possible, use tools that operate within a confined directory or require explicit, user-approved file path arguments, rather than granting broad 'Read', 'Write', 'Edit', 'Grep', and 'Glob' access to the entire filesystem. Consider implementing more granular file access controls. | LLM | Manifest (frontmatter JSON) |
Scan History
Embed Code
[](https://skillshield.io/report/851466549c3e89e7)
Powered by SkillShield