Trust Assessment
sev-attestation received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 2 medium, and 3 low severity. Key findings include Covert behavior / concealment directives, Skill requires root access to /dev/sev-guest, Untrusted report file can lead to SSRF or data exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill requires root access to /dev/sev-guest The skill explicitly states in its `SKILL.md` and `scripts/generate-report.sh` that it requires root access to `/dev/sev-guest` to function. Running an AI agent skill with root privileges significantly increases the attack surface and the potential impact of any vulnerability, allowing an attacker to gain full control over the host system if a flaw is exploited. Re-evaluate the necessity of root access. If unavoidable, implement strict privilege separation (e.g., using `sudo` with specific, limited commands, or running the sensitive part in a highly constrained container). Document the security implications clearly and provide guidance on least-privilege execution. | LLM | SKILL.md:40 | |
| MEDIUM | Untrusted report file can lead to SSRF or data exfiltration In `scripts/fetch-certificates.sh`, the `VCEK_URL` is constructed using values (`CHIP_ID`, `BOOT_LOADER`, `TEE`, `SNP`, `MICROCODE`) extracted from the user-provided and untrusted `$REPORT_FILE`. Although the base URL `https://kdsintf.amd.com` is hardcoded, a malicious `$REPORT_FILE` could be crafted to manipulate the path or query parameters of the URL. This could lead to Server-Side Request Forgery (SSRF) on `kdsintf.amd.com` (e.g., accessing internal endpoints) or attempts to exfiltrate data by encoding it into the URL path/parameters, potentially leaking information from the system. Implement strict validation and sanitization of all components extracted from the `$REPORT_FILE` before they are used in URL construction. Ensure that extracted values conform to expected formats (e.g., hex strings of specific lengths) and do not contain characters that could alter the URL's structure or path. Consider URL-encoding user-controlled parts of the URL. | LLM | scripts/fetch-certificates.sh:100 | |
| MEDIUM | Reliance on unvetted external binary `snpguest` The skill heavily relies on the `snpguest` Rust CLI tool for core functionality like generating reports, fetching certificates, and verifying attestations. The `SKILL.md` suggests installing it via `cargo install snpguest`, but the skill does not include or pin a specific version. Any vulnerability (e.g., command injection in its own argument parsing, path traversal, or malicious behavior) within `snpguest` itself could directly compromise the security of the skill and the host system, especially given the skill's requirement for root access. Pin `snpguest` to a specific, known-good version. Consider vendoring the `snpguest` source or providing a pre-compiled, cryptographically verified binary. Implement sandboxing or containerization for the execution of `snpguest` to limit its potential impact. Regularly audit `snpguest` for security vulnerabilities. | LLM | SKILL.md:38 | |
| LOW | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/xinyuwang/sev-attestation/SKILL.md:10 | |
| LOW | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/xinyuwang/sev-attestation/SKILL.md:11 | |
| LOW | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/xinyuwang/sev-attestation/SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/a376a85bfa327ae3)
Powered by SkillShield