Trust Assessment
therapy-mode received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, User-controlled session notes can lead to Prompt Injection, Path Traversal vulnerability in file operations.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | User-controlled session notes can lead to Prompt Injection The `therapy-notes.py` script allows users to add arbitrary text to session notes files (`session-(date).md`) via functions like `add_note`, `add_insight`, and `update_session`. The `SKILL.md` instructions explicitly state that the AI agent should 'Review the entire session file in its entirety' after a session. This means user-controlled content from the session notes will be fed directly into the LLM's context, creating a high-risk vector for prompt injection. A malicious user could insert instructions into their notes that manipulate the LLM's behavior, override its persona, or extract sensitive information. Implement robust input sanitization for all user-provided text before writing to session notes. More critically, when constructing the LLM's prompt, strictly separate user-generated content (like session notes) from system instructions using clear delimiters (e.g., XML tags, markdown fences) and instruct the LLM to treat content within these delimiters as data, not instructions. | LLM | SKILL.md:13 | |
| HIGH | Path Traversal vulnerability in file operations The `therapy-notes.py` script constructs file paths using user-provided `date` arguments in functions like `archive_session`, `restore_session`, and `hard_delete`. The `get_session_file` and `get_archived_file` functions append `f"session-{date}.md"` to the `ACTIVE_DIR` or `ARCHIVED_DIR` `Path` objects. If a malicious user provides a `date` argument containing path traversal sequences (e.g., `../../etc/passwd`), the `Path` object's resolution (implicitly used by `os.remove` or `shutil.move`) could allow the script to operate on files outside the intended `therapy-notes` directory. This could lead to unauthorized deletion, modification, or archiving of arbitrary files on the system, depending on the script's execution privileges. Validate the `date` input to ensure it only contains valid date characters and does not include any path separators or traversal sequences (e.g., `.` or `/`). A simple regex check like `re.match(r"^\d{4}-\d{2}-\d{2}$", date)` would prevent this. Alternatively, ensure that the `date` parameter is strictly formatted and does not allow arbitrary string input. | LLM | therapy-notes.py:30 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/thesethrose/therapy-mode/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/b30dd6e94b4a2772)
Powered by SkillShield