Trust Assessment
writing-plans received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Generated plans contain executable shell commands, Skill instructs saving files to a dynamic path, Dependency on other skills with potentially broad permissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Generated plans contain executable shell commands The `writing-plans` skill generates detailed implementation plans that explicitly include shell commands (e.g., `pytest`, `git`). These commands are intended to be executed by other skills (e.g., `executing-plans`, `subagent-driven-development`). If the arguments to these commands (such as file paths, test names, or commit messages) are derived from untrusted user input without proper sanitization, an attacker could inject malicious commands or arguments, leading to arbitrary code execution on the host system. Ensure that any skill executing these generated plans strictly sanitizes all user-controlled input used in shell commands. Implement a robust sandboxing mechanism for command execution. Consider using an allow-list for commands and arguments. | LLM | SKILL.md:50 | |
| MEDIUM | Skill instructs saving files to a dynamic path The skill instructs the LLM to save generated plans to `docs/plans/YYYY-MM-DD-<feature-name>.md`. If the `<feature-name>` component is directly derived from untrusted user input without proper sanitization, an attacker could use path traversal techniques (e.g., `../../sensitive.txt`) to write files to arbitrary locations on the file system, potentially overwriting critical files or exfiltrating data by writing it to an accessible location. The host LLM's file saving mechanism must strictly sanitize or validate the `<feature-name>` component to prevent path traversal. It should ensure that files are only written within the intended `docs/plans/` directory or a designated sandbox. | LLM | SKILL.md:20 | |
| LOW | Dependency on other skills with potentially broad permissions The `writing-plans` skill explicitly requires the use of `superpowers:executing-plans` and `superpowers:subagent-driven-development` for plan execution. The specific permissions and capabilities of these dependent skills are not defined within this context. If these skills possess broad access to the file system, network, or shell execution, and they are invoked based on potentially untrusted content generated by `writing-plans`, it could lead to an elevated attack surface or privilege escalation. This is a general concern about the security posture of the entire skill ecosystem. Conduct a thorough security audit of all dependent skills (`superpowers:executing-plans`, `superpowers:subagent-driven-development`) to understand their permissions and ensure they operate within a least-privilege model and are properly sandboxed. | LLM | SKILL.md:35 |
Scan History
Embed Code
[](https://skillshield.io/report/7929e475ace2f556)
Powered by SkillShield