Trust Assessment
skill-maker received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 6 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Command Injection via unsanitized skill name in zip command, Generated skill's trigger.js contains command injection vulnerability.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/skill-maker/trigger.js:13 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/skill-maker/trigger.js:195 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/skill-maker/trigger.js:200 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/skill-maker/trigger.js:211 | |
| CRITICAL | Command Injection via unsanitized skill name in zip command The `execSync` call used to create the skill's publishable zip file directly interpolates the user-provided `name` variable into the shell command. An attacker could inject arbitrary shell commands by providing a malicious skill name (e.g., `my_skill; rm -rf /`) during the skill creation process, leading to arbitrary code execution on the host system. Sanitize or escape the `name` variable before interpolating it into the shell command. Prefer using a library like `execa` or Node.js's `spawn` with arguments passed as an array to avoid shell interpretation, or implement robust input validation to restrict `name` to safe characters. | LLM | trigger.js:100 | |
| CRITICAL | Generated skill's trigger.js contains command injection vulnerability The `skill-maker` skill generates a `trigger.js` file for new skills that also uses `execSync`. The `mainCmd.script` variable, which is user-provided input, is directly interpolated into this `execSync` call. This means any skill created by `skill-maker` will inherit this command injection vulnerability, allowing arbitrary command execution when the generated skill's `trigger.js` is run. This poses a significant supply chain risk for skills created using this tool. When generating the `trigger.js` for new skills, ensure that `mainCmd.script` is properly sanitized or escaped before being included in the `execSync` command string. Prefer passing arguments as an array to `execa` or `spawn` if possible, or use a safe shell escaping utility. | LLM | trigger.js:150 | |
| HIGH | Path Traversal vulnerability in directory creation/deletion The `skillDir` is constructed using `path.join(process.env.HOME, 'clawd/skills', name)`. While `path.join` normalizes paths, if the user-provided `name` contains path traversal sequences (e.g., `../../`), it could lead to directories and files being created or deleted outside the intended `~/clawd/skills/` directory. This could result in data loss or unauthorized file creation within the user's home directory. Validate the `name` input to ensure it does not contain path traversal characters (e.g., `/`, `\`, `..`). A strict regex pattern (e.g., `^[a-z0-9_-]+$`) should be applied to enforce a safe naming convention for skill directories. | LLM | trigger.js:69 | |
| MEDIUM | Potential Prompt Injection via unsanitized user input in generated markdown files The `name` and `description` variables, which are user-provided, are directly embedded into the generated `SKILL.md` and `README.md` files. If these inputs contain specific markdown or YAML-like syntax (e.g., `---`, `name:`, `description:`, or LLM-specific instructions), they could potentially manipulate a host LLM that later processes these generated files as part of a skill's context. This is a risk for the LLM consuming the generated skill's metadata. Sanitize user inputs (`name`, `description`) before embedding them into markdown files, especially within YAML frontmatter sections. This could involve escaping special characters or restricting input to plain text to prevent unintended interpretation by an LLM. | LLM | trigger.js:84 |
Scan History
Embed Code
[](https://skillshield.io/report/78cda9b3a40d72a2)
Powered by SkillShield