Trust Assessment
schedule-cost-link received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Unrestricted File Write Path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/schedule-cost-link/SKILL.md:1 | |
| MEDIUM | Unrestricted File Write Path The `export_to_excel` function allows writing to an arbitrary `output_path` provided by the user. If the AI agent does not sanitize or restrict this path, a malicious actor could specify paths outside the intended working directory, potentially overwriting critical system files, writing to sensitive locations, or creating files in unexpected places. This grants excessive file system write permissions to the skill. Implement strict validation and sanitization of the `output_path` argument. Restrict file writes to a designated, sandboxed directory. Consider using a file picker or predefined output locations instead of arbitrary user input for file paths. If arbitrary paths are necessary, ensure the path is normalized and checked against an allow-list or deny-list of directories. | LLM | SKILL.md:310 |
Scan History
Embed Code
[](https://skillshield.io/report/935ce43d980fb5bf)
Powered by SkillShield