Trust Assessment
vector-search received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Broad Filesystem Access in Document Indexing Pipeline, Unrestricted Qdrant Client Host Configuration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad Filesystem Access in Document Indexing Pipeline The `DocumentIndexingPipeline` class, specifically methods `extract_pdf_text`, `index_document`, and `index_directory`, allows reading arbitrary files and traversing directories on the filesystem. If an attacker can control the `file_path` or `directory` arguments passed to these methods, they could instruct the skill to read sensitive files (e.g., configuration files, credential files, system files). The content of these files would then be indexed into the vector database, making it potentially retrievable and exfiltratable, especially if the RAG system is used to query over this indexed data or if the vector database is configured to connect to an external, potentially malicious, host. Implement strict input validation and sanitization for `file_path` and `directory` arguments. Restrict file access to a predefined, secure directory (e.g., a sandbox). Avoid `os.walk` on arbitrary paths. If indexing user-provided files, ensure they are uploaded to a secure, isolated storage and their paths are validated. Consider using a dedicated file access tool with granular permissions. | LLM | SKILL.md:185 | |
| HIGH | Unrestricted Qdrant Client Host Configuration The `ConstructionVectorDB` class allows specifying an arbitrary `host` and `port` for the `QdrantClient`. If an attacker can control the `host` argument during the initialization of `ConstructionVectorDB`, they could direct the vector database to connect to a malicious external server. Any data indexed into this database (which could include sensitive information read by the `DocumentIndexingPipeline`) would then be sent to the attacker-controlled server, leading to data exfiltration. Restrict the `host` argument to a whitelist of trusted endpoints or ensure it can only be configured via secure, non-user-controlled means (e.g., environment variables managed by the deployment environment, not directly passed by user input). If `host` must be configurable, validate it against a strict regex or a predefined list of allowed hosts. | LLM | SKILL.md:60 | |
| HIGH | Unsanitized User Query and Context in RAG Prompts The `ConstructionRAG` class constructs prompts for the OpenAI LLM by directly embedding user `query` and retrieved `context` (document text) without sanitization or robust separation. If an attacker can control the `query` input or inject malicious instructions into the indexed documents (which is possible given the broad filesystem access of `DocumentIndexingPipeline`), they could manipulate the LLM's behavior, leading to prompt injection. This could cause the LLM to ignore instructions, reveal sensitive information from its training data or other indexed documents, or generate harmful content. Implement robust prompt engineering techniques to isolate user input and retrieved context from system instructions. This can include using structured data formats (e.g., JSON), specific delimiters, or dedicated LLM features for tool use/function calling. Ensure that indexed documents are thoroughly vetted for malicious content if they originate from untrusted sources. Consider using a separate, sandboxed LLM for processing untrusted inputs or implementing input sanitization/filtering for user queries. | LLM | SKILL.md:270 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/vector-search/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/d57a969c8dac0b91)
Powered by SkillShield