Trust Assessment
topic-to-article-kit received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Untrusted Instruction to Override File System Behavior, Broad File System Write Access, Potential Command Injection via File System Operations.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted Instruction to Override File System Behavior The untrusted skill description contains a direct instruction to the host LLM: 'Always write to the real Obsidian Vault visible directory first (absolute path under user's real vault), never workspace mirror paths.' This attempts to dictate the LLM's behavior regarding file system access and path handling, potentially overriding safety mechanisms or default workspace restrictions. If the LLM interprets this as a command rather than descriptive text, it constitutes a prompt injection. The host LLM must be hardened to strictly differentiate between trusted system instructions and untrusted content. Instructions found within untrusted input delimiters must never be executed as commands. The skill should not contain direct instructions to the LLM within untrusted blocks. | LLM | SKILL.md:18 | |
| HIGH | Broad File System Write Access The skill explicitly states it will write to an 'absolute path under user's real vault', indicating broad write permissions to the user's local file system, specifically targeting the Obsidian vault. This allows the skill to create, modify, or delete files in a user-controlled directory outside its isolated workspace, posing a significant risk if misused. Restrict file system access to a dedicated, isolated workspace. If writing to the user's Obsidian vault is essential, implement strict path validation and user confirmation for all write operations, and ensure the skill only writes to explicitly approved subdirectories. Avoid absolute paths determined by the skill itself. | LLM | SKILL.md:18 | |
| MEDIUM | Potential Command Injection via File System Operations The skill writes files (.md) to the user's Obsidian vault, with folder names derived from '<日期_标题>'. If the underlying file system operations (e.g., creating directories, writing files) are implemented using shell commands and user-provided input (like the topic/title) is not properly sanitized, it could lead to command injection. Malicious input in the topic/title could be used to execute arbitrary commands. Ensure all user-provided input used in file paths or names is strictly sanitized to prevent path traversal characters (e.g., `../`, `/`) and shell metacharacters (e.g., `;`, `|`, `&`, `$`). Use safe file system APIs that do not invoke a shell. | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/ee3f8f28cc917cc2)
Powered by SkillShield