Trust Assessment
ui-ux-pro-max received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Direct command execution with untrusted user input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct command execution with untrusted user input The skill explicitly instructs the LLM to execute a Python script (`skills/ui-ux-pro-max/scripts/search.py`) and passes user-provided input directly as arguments to this script. For example, the placeholder `<product_type> <industry> <keywords>` is derived from user requests. If this input is not properly sanitized or escaped by the calling mechanism (e.g., the shell or the Python script itself), a malicious user could inject arbitrary shell commands, leading to command injection and potential arbitrary code execution. Ensure all user-provided arguments passed to shell commands are properly escaped or quoted. Ideally, use a library function that handles argument escaping for the target shell, or pass arguments as a list to `subprocess.run` (or similar) to avoid shell interpretation. If the `search.py` script is designed to handle raw user input, it must perform robust input validation and sanitization. | LLM | SKILL.md:140 |
Scan History
Embed Code
[](https://skillshield.io/report/bcd40449a5b55465)
Powered by SkillShield