Trust Assessment
Self-Evolving Skill received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 3 medium, and 1 low severity. Key findings include Sensitive environment variable access: $HOME, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsanitized `context` parameter in `skill_execute` tool The `skill_execute` tool accepts an arbitrary JSON `context` object as input. This `context` is passed directly to the Python backend (`mcp_server.py` or `mcporter_adapter.py`) without apparent sanitization. Given the 'self-evolving' nature of the skill, it is highly probable that the backend uses parts of this `context` in dynamic code execution (e.g., `eval()` or `exec()`). If an attacker can control the `context` parameter and inject malicious code, it could lead to arbitrary command execution on the host system. Implement strict input validation and sanitization for the `context` parameter in the Python backend. If `context` is intended to contain executable code, ensure it is executed within a secure sandbox environment (e.g., a restricted Python interpreter, containerized execution) that prevents access to sensitive system resources or arbitrary command execution. | LLM | src/index.ts:192 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/whtoo/self-evolving-skill/install.sh:11 | |
| MEDIUM | Unpinned npm dependency version Dependency '@types/node' is not pinned to an exact version ('^20.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/whtoo/self-evolving-skill/package.json | |
| MEDIUM | Path traversal vulnerability via unsanitized `storageDir` configuration The `MCPServer` in `src/index.ts` can be configured with a `storageDir` parameter. If this `storageDir` is provided by an untrusted source (e.g., an LLM or user input) and contains path traversal sequences (e.g., `../../`), the Python backend (`mcp_server.py`) could be instructed to read from or write to arbitrary locations on the filesystem. This could lead to data exfiltration, data corruption, or potentially command injection if executable files are overwritten. Although `child_process.spawn` mitigates direct shell injection, the Python script receiving the path could still be vulnerable if it doesn't sanitize the path before file operations. Validate and sanitize the `storageDir` input to ensure it is a canonical path within the allowed skill directory or a designated safe storage location. Prevent path traversal sequences (e.g., `..`, absolute paths outside the sandbox) before passing the path to the Python process. | LLM | src/index.ts:100 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/whtoo/self-evolving-skill/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/dfcbb4cb626f57fb)
Powered by SkillShield