Trust Assessment
rspack-tracing received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Local File Inclusion via Unvalidated Path Input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 76880945). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Local File Inclusion via Unvalidated Path Input The `analyze_trace.js` script directly uses `process.argv[2]` as a file path without validation or sanitization. An attacker could provide a path to an arbitrary file on the system (e.g., `/etc/passwd`, `../../.env`) to read its contents, leading to information disclosure. While the `SKILL.md` instructs the agent to use a fixed `trace.json` filename, the underlying script is vulnerable if the agent is prompted by a malicious user to provide a different path. Validate the `tracePath` argument to ensure it refers to a file within an expected, controlled directory (e.g., the current working directory or a designated temporary folder). Prevent directory traversal by resolving the path and checking if it's within the allowed scope. For example, ensure `path.resolve(tracePath)` is a child of `path.resolve(process.cwd())` or a specific temporary directory. | Static | scripts/analyze_trace.js:29 |
Scan History
Embed Code
[](https://skillshield.io/report/8237de7e45669861)
Powered by SkillShield