Trust Assessment
xml-reader received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary File Read via XML Parsing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Read via XML Parsing The `parse_file` method in `ConstructionXMLReader` directly uses a user-provided `file_path` argument with `xml.etree.ElementTree.parse()`. If the `file_path` is not properly sanitized or restricted, an attacker could supply arbitrary file paths (e.g., `/etc/passwd`, `/app/secrets.txt`) to read sensitive files from the system, leading to data exfiltration. Implement strict validation and sanitization of `file_path` to ensure it only points to allowed locations or files. Consider using an allowlist of directories, or ensuring that the path is relative to a secure base directory and does not contain path traversal sequences (e.g., `../`). If the skill is intended to only read files uploaded by the user, ensure the file is stored in a secure, isolated temporary directory and its path is passed, not an arbitrary user-supplied path. | LLM | SKILL.md:38 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/xml-reader/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/27ec3f7d55261f32)
Powered by SkillShield