Trust Assessment
research-assistant received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 2 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Missing required field: name, Persistence mechanism: Shell RC file modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/johstracke/research-assistant/SKILL.md:66 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/johstracke/research-assistant/scripts/research_organizer.py:172 | |
| HIGH | Time-of-Check to Time-of-Use (TOCTOU) vulnerability in file export path validation The `export_topic` function attempts to validate the `output_file` path using `is_safe_path` before writing. However, the validation (time-of-check) occurs before the file is actually opened for writing (time-of-use). An attacker could exploit this TOCTOU vulnerability by providing a path to a seemingly safe location (e.g., `/tmp/safe_file.md`). After `is_safe_path` confirms it's safe, but before `output_path.write_text()` is executed, the attacker could replace the target file with a symbolic link pointing to a sensitive system file (e.g., `/etc/passwd`, `/root/.ssh/authorized_keys`). This would cause the skill to write the research notes to the sensitive system file, bypassing the intended path restrictions and leading to arbitrary file write, which can result in privilege escalation, data corruption, or denial of service. To prevent TOCTOU symlink attacks, use `os.open()` with `os.O_CREAT | os.O_EXCL | os.O_WRONLY` flags to create the file, which will fail if the path is a symlink or already exists. Alternatively, ensure the parent directory is safe and then write to a file within that directory, or use a library function that handles this securely. For example, create a temporary file in a safe directory and then move it, or use `Path.open(mode='w', exclusive=True)`. | LLM | scripts/research_organizer.py:140 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/johstracke/research-assistant/SKILL.md:1 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/johstracke/research-assistant/SKILL.md:66 | |
| LOW | Overly broad substring check for sensitive file patterns in path validation The `is_safe_path` function attempts to block sensitive dotfiles by checking if certain patterns (e.g., `.ssh`, `.bashrc`) are present as substrings within the resolved file path string (`if pattern in path_str:`). This substring check is overly broad and can lead to legitimate file paths being incorrectly blocked. For example, a file named `~/my_project/backup_of_bashrc.txt` or `~/documents/ssh_keys_notes.md` would be blocked because it contains the sensitive pattern as a substring, even though it's not the actual sensitive system file. This can cause unexpected failures for users and reduce the usability of the export feature. Refine the sensitive path blocking logic. Instead of a substring check, use more precise methods such as checking `path.name` for exact matches of sensitive dotfiles, or checking `path.parts` for sensitive directory names. For example, `if path.name == '.bashrc'` or `if '.ssh' in path.parts`. | LLM | scripts/research_organizer.py:171 |
Scan History
Embed Code
[](https://skillshield.io/report/6b509f052955d1f8)
Powered by SkillShield