Trust Assessment
ui-test received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Arbitrary JavaScript execution via browser action=evaluate, Arbitrary file write vulnerability in exportPlaywright.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary JavaScript execution via browser action=evaluate The skill's `SKILL.md` describes an agent action `browser action=evaluate fn="..."` which allows executing arbitrary JavaScript within the browser context. If the `fn` parameter can be influenced by untrusted user input (e.g., a test step like "evaluate `alert(document.cookie)`"), it constitutes a critical command injection vulnerability. This allows an attacker to run arbitrary client-side code, potentially leading to data exfiltration (e.g., cookies, local storage) or other malicious actions within the agent's browser session. Implement strict sanitization or whitelisting for the `fn` parameter when interpreting user-provided steps. Only allow a predefined set of safe JavaScript functions or ensure that user input cannot directly form the `fn` string. The browser tool itself should also enforce a sandbox or strict content security policy. | LLM | SKILL.md:68 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/clawd21/ui-test/scripts/ui-test.js:297 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/clawd21/ui-test/scripts/ui-test.js:300 | |
| HIGH | Arbitrary file write vulnerability in exportPlaywright The `SKILL.md` states that the `export` command can save to a "user-specified path". The `scripts/ui-test.js` defines an `exportPlaywright(name, outFile)` function where `outFile` is derived from user input (`process.argv`). If `outFile` is not properly sanitized for path traversal sequences (e.g., `../`, absolute paths), an attacker could specify an arbitrary file path to write the generated Playwright script, potentially overwriting critical system files or writing malicious content to sensitive locations. The truncated nature of the function prevents full verification, but the explicit mention of a "user-specified path" and the `outFile` parameter indicate a high risk. Implement robust path sanitization for the `outFile` argument. Restrict output paths to a designated, sandboxed directory (e.g., `~/workspace/tests/`) and prevent absolute paths or path traversal sequences (`../`). | LLM | scripts/ui-test.js:209 | |
| MEDIUM | Denial of Service via malformed or excessively large JSON input The `saveRun` function in `scripts/ui-test.js` uses `JSON.parse()` on `result.stepResults` and `result.screenshots`, which are derived from user-controlled command-line arguments (`process.argv`). Providing malformed JSON could cause parsing errors and script termination, leading to a denial of service for the `saveRun` command. Additionally, excessively large JSON strings could lead to memory exhaustion. Implement robust error handling around `JSON.parse()` calls to gracefully handle malformed input. Consider adding input validation to limit the size and structure of the JSON strings accepted from command-line arguments. | LLM | scripts/ui-test.js:160 |
Scan History
Embed Code
[](https://skillshield.io/report/9b447cef99af2197)
Powered by SkillShield