Trust Assessment
reflect received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 1 critical, 3 high, 2 medium, and 0 low severity. Key findings include Dangerous tool allowed: Bash, Excessive 'Bash' permission declared, Overly broad file system access permissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive 'Bash' permission declared The skill declares 'Bash' as an allowed tool in its manifest. This grants the skill the ability to execute arbitrary shell commands on the host system. For a skill focused on 'Self-improvement through conversation analysis' and modifying agent definitions, this level of access is highly excessive and introduces a severe security risk, enabling command injection, data exfiltration, and system compromise. Remove the 'Bash' permission. If specific shell commands are absolutely necessary, consider wrapping them in a more constrained, purpose-built tool or using safer alternatives within the agent's runtime environment. | LLM | SKILL.md:1 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | skills/stevengonsalvez/reflect-learn/SKILL.md:1 | |
| HIGH | Overly broad file system access permissions The skill declares 'Read', 'Write', 'Edit', 'Grep', and 'Glob' permissions. While the skill's purpose involves modifying agent definitions and creating new skill files, these permissions are not sufficiently scoped. They allow reading, writing, editing, searching, and listing files across the entire accessible filesystem, far beyond the specific directories or files mentioned (e.g., agent definitions, `~/.reflect`, `.claude/skills`). This broad access increases the attack surface for data exfiltration, unauthorized modification, and potential command injection if file paths are derived from untrusted input. Restrict file system permissions to the absolute minimum necessary. Define explicit allow-lists for directories and file patterns that the skill is permitted to access (e.g., `~/.reflect/**`, `.claude/agents/**`, `.claude/skills/**`). Avoid wildcard access where possible. | LLM | SKILL.md:1 | |
| HIGH | High risk of command injection due to 'Bash' and dynamic file modification The skill's declared 'Bash' permission, combined with its described functionality to analyze untrusted conversation input, generate 'Proposed Changes,' and 'Apply each change using Edit tool' or create new skill files, creates a significant command injection risk. If user-provided text (e.g., from 'Source Quote' or other parts of the conversation) is used to construct file paths, file contents, or arguments for shell commands without rigorous sanitization, an attacker could inject malicious commands that would be executed by the 'Bash' tool or embedded into executable files (like new skill files) that are later run. 1. Remove 'Bash' permission (as per previous recommendation). 2. Implement strict input validation and sanitization for all user-derived content before it is used in file paths, file contents, or any command arguments. 3. Ensure that the 'Edit' tool is used in a highly structured and parameterized way, preventing arbitrary code injection into files. 4. If creating new skill files, validate the skill name and content rigorously to prevent embedding malicious code. | LLM | SKILL.md:100 | |
| MEDIUM | Potential for prompt injection into modified agent definitions The skill's core function is to extract 'learnings' from untrusted conversation input and 'permanently encod[e] them into agent definitions.' The 'Proposed Changes' section shows how 'Signal' and 'Source Quote' from user input are incorporated into diffs that update agent files. If malicious instructions or adversarial prompts are present in the user's conversation, they could be injected into the agent definitions. While the 'Human-in-the-Loop' guardrail (user approval) mitigates *direct execution* of these injected prompts, a user might inadvertently approve a subtle prompt injection that later manipulates the agent's behavior when it processes the modified definition. 1. Implement robust sanitization and validation specifically designed to detect and neutralize prompt injection attempts within the extracted 'learnings' and 'source quotes' before they are incorporated into agent definitions. 2. Consider using structured data formats for agent definitions that are less susceptible to arbitrary text injection. 3. Enhance the 'Human-in-the-Loop' review process to highlight potential prompt injection patterns in proposed changes. | LLM | SKILL.md:87 | |
| MEDIUM | Risk of data exfiltration due to broad read/grep/bash permissions The skill's declared permissions ('Read', 'Grep', 'Glob', 'Bash') provide the capability to access and potentially exfiltrate sensitive data from the host system. While the skill's described purpose does not explicitly involve exfiltration, an attacker exploiting a command injection vulnerability (enabled by 'Bash' or broad file write access) could leverage these permissions to read sensitive files (e.g., `.env`, `~/.aws/credentials`, private keys), search for specific data patterns, and then transmit this data externally. The skill also processes 'Source Quote' from conversations, which could contain sensitive user data, and includes it in proposals, indicating it handles potentially sensitive information. 1. Remove 'Bash' permission and restrict other file system permissions (as per previous recommendations) to limit access to sensitive areas. 2. Ensure that any data extracted from conversations or files is handled securely and not exposed or transmitted without explicit user consent and robust sanitization. 3. Implement strict logging and monitoring of file access and external communication attempts by the skill. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/ecaa9527a5638e1b)
Powered by SkillShield