Trust Assessment
salesforce received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary Apex Code Execution Capability, Arbitrary Salesforce REST API Call Capability, Exposure of Sensitive Salesforce Credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Apex Code Execution Capability The skill describes the capability to execute arbitrary Apex code from a file (`sf apex run --file script.apex`). This grants full programmatic control over the Salesforce org. Since the "Guardrails" section is within the untrusted content delimiters, the host LLM cannot rely on these instructions to constrain its behavior. An AI agent using this skill, if not constrained by *trusted, external* guardrails, could be prompted to execute malicious Apex code, leading to full compromise of the Salesforce org. Implement robust, trusted guardrails *outside* the untrusted skill content that explicitly require user confirmation and strict validation for any Apex code execution. The agent should never execute arbitrary code without explicit, informed user consent and careful review of the code. | LLM | SKILL.md:300 | |
| CRITICAL | Arbitrary Salesforce REST API Call Capability The skill describes the capability to make arbitrary authenticated REST API calls (`sf api request rest`). This grants extensive control over the Salesforce org, allowing for any operation supported by the API. As the "Guardrails" are untrusted, the host LLM cannot rely on them to constrain API call behavior. An AI agent using this skill, without *trusted, external* guardrails, could be prompted to craft malicious API requests to exfiltrate data, modify records, or perform other unauthorized actions. Implement robust, trusted guardrails *outside* the untrusted skill content that explicitly require user confirmation and strict validation for any arbitrary REST API calls. The agent should never execute arbitrary API calls without explicit, informed user consent and careful review of the request parameters. | LLM | SKILL.md:320 | |
| HIGH | Exposure of Sensitive Salesforce Credentials The skill explicitly describes how to display sensitive Salesforce organization details, including refresh tokens, using `sf org display --verbose --json`. Although the skill notes this as "sensitive," the "Guardrails" are within the untrusted content and cannot be relied upon by the host LLM. This creates a credible path for an attacker to prompt the agent to display and thus exfiltrate sensitive credentials. Implement robust, trusted guardrails *outside* the untrusted skill content that explicitly forbid the display or logging of sensitive credentials like refresh tokens, even if requested by the user. The agent should redact or refuse to display such information. | LLM | SKILL.md:48 | |
| HIGH | Unrestricted File System Access via CLI Commands The skill describes numerous `sf` CLI commands that interact with the filesystem by reading from or writing to specified file paths (e.g., `sf data query --file`, `sf data export bulk --output-file`, `sf data import bulk --file`, `sf apex run --file`, `sf org login jwt --jwt-key-file`). Since the "Guardrails" are untrusted, the host LLM cannot rely on them to validate file paths. If an attacker can control these file paths, they could potentially read arbitrary files from the agent's environment (data exfiltration), write to arbitrary locations (command injection, data corruption), or execute arbitrary code (command injection). Implement robust, trusted guardrails *outside* the untrusted skill content that strictly validate and sanitize all file paths provided by the user. Restrict file operations to a designated, sandboxed directory. For sensitive operations like reading/writing arbitrary files or executing code from files, require explicit user confirmation and review of the file content/path. | LLM | SKILL.md:100 |
Scan History
Embed Code
[](https://skillshield.io/report/b65515ba1a111e27)
Powered by SkillShield