Trust Assessment
sprite-sheet received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary File Read via Unity Meta Parser Script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/kjaylee/sprite-sheet/SKILL.md:1 | |
| MEDIUM | Arbitrary File Read via Unity Meta Parser Script The `examples/unity_meta_parser.py` script is a standalone Python utility designed to parse Unity `.meta` files. It takes a file path as a command-line argument and reads its content using `open()`. If the AI agent is provided with a tool to execute Python scripts and is prompted to use this script with a user-controlled `meta_path` argument, it could be coerced into reading arbitrary files from the file system. This capability poses a data exfiltration risk, as sensitive files could be read and their content potentially exposed through the agent's output. While `yaml.safe_load` and `json.loads` are used, mitigating direct command injection within the file content, the ability to read any file remains a concern. 1. **Restrict Tool Access**: Ensure the AI agent's execution environment strictly limits file system access and prevents the execution of arbitrary scripts or access to paths outside a designated, secure sandbox. 2. **Input Validation**: If this script must be exposed as a tool, implement robust input validation on the `meta_path` argument to ensure it only points to allowed, non-sensitive `.meta` files within a strictly defined directory. 3. **Least Privilege**: Execute the script with the minimum necessary file system permissions. 4. **Alternative Parsing**: Consider providing the *content* of the meta file directly to the AI agent for parsing, rather than granting it a tool that reads files from disk, thereby removing the direct file access capability from the agent's control. | LLM | examples/unity_meta_parser.py:17 |
Scan History
Embed Code
[](https://skillshield.io/report/fa0c4e97ae04c5d8)
Powered by SkillShield