Trust Assessment
senior-devops received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 3 high, 0 medium, and 0 low severity. Key findings include Arbitrary File Write via --output Argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Write via --output Argument The script allows writing its JSON output to an arbitrary file path specified by the `--output` argument. An attacker could provide a sensitive system path (e.g., `/etc/passwd`, `/root/.ssh/authorized_keys`) to overwrite or create files, leading to denial of service, privilege escalation, or data corruption. While the content written is currently benign JSON, the ability to write to any location is a critical vulnerability. Restrict the `--output` argument to only allow writing within a designated, sandboxed output directory. Implement strict path validation to prevent directory traversal (e.g., `../`) and absolute paths outside the allowed scope. Alternatively, if arbitrary file writing is strictly necessary, ensure the process runs with minimal privileges and the content written is always harmless. | LLM | scripts/deployment_manager.py:105 | |
| HIGH | Arbitrary File Write via --output Argument The script allows writing its JSON output to an arbitrary file path specified by the `--output` argument. An attacker could provide a sensitive system path (e.g., `/etc/passwd`, `/root/.ssh/authorized_keys`) to overwrite or create files, leading to denial of service, privilege escalation, or data corruption. While the content written is currently benign JSON, the ability to write to any location is a critical vulnerability. Restrict the `--output` argument to only allow writing within a designated, sandboxed output directory. Implement strict path validation to prevent directory traversal (e.g., `../`) and absolute paths outside the allowed scope. Alternatively, if arbitrary file writing is strictly necessary, ensure the process runs with minimal privileges and the content written is always harmless. | LLM | scripts/pipeline_generator.py:105 | |
| HIGH | Arbitrary File Write via --output Argument The script allows writing its JSON output to an arbitrary file path specified by the `--output` argument. An attacker could provide a sensitive system path (e.g., `/etc/passwd`, `/root/.ssh/authorized_keys`) to overwrite or create files, leading to denial of service, privilege escalation, or data corruption. While the content written is currently benign JSON, the ability to write to any location is a critical vulnerability. Restrict the `--output` argument to only allow writing within a designated, sandboxed output directory. Implement strict path validation to prevent directory traversal (e.g., `../`) and absolute paths outside the allowed scope. Alternatively, if arbitrary file writing is strictly necessary, ensure the process runs with minimal privileges and the content written is always harmless. | LLM | scripts/terraform_scaffolder.py:105 |
Scan History
Embed Code
[](https://skillshield.io/report/24ea26d73998b8a8)
Powered by SkillShield