Trust Assessment
regex-gen received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Prompt Injection leading to malicious regex generation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Prompt Injection leading to malicious regex generation The skill directly passes user-provided input (`description`) to the OpenAI LLM without sanitization or robust validation. While the `response_format: { type: "json_object" }` helps constrain the output format, a malicious user could craft a prompt injection to coerce the LLM into generating a harmful regex pattern (e.g., a Regular Expression Denial of Service (ReDoS) pattern like `(a+)+b`), or an explanation containing misleading or dangerous instructions. The skill would then output this malicious content, potentially leading to downstream vulnerabilities if the user copies and uses the generated regex in their own applications. Implement a robust input validation and sanitization layer for the `description` before sending it to the LLM. Consider using an LLM guardrail or a secondary LLM call to evaluate the safety and intent of the generated regex pattern and explanation before presenting it to the user. Additionally, add a disclaimer to the user about the potential risks of using LLM-generated regex patterns without independent verification. | LLM | src/index.ts:19 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/lxgicstudios/regex-gen/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^12.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lxgicstudios/regex-gen/package.json | |
| LOW | User input sent to third-party LLM The skill sends the user's `description` directly to the OpenAI API. This means any sensitive or private information included in the user's prompt will be transmitted to OpenAI. While this is inherent to the skill's functionality, users should be aware of this data transmission for privacy considerations. Inform users clearly that their input is sent to a third-party AI service (OpenAI) and advise against including sensitive personal or proprietary information in their prompts. This can be done in the skill's documentation or as a prompt during initial use. | LLM | src/index.ts:19 |
Scan History
Embed Code
[](https://skillshield.io/report/36fbe783578ae2d4)
Powered by SkillShield