Security Audit
rspress-description-generator
github.com/rstackjs/agent-skillsTrust Assessment
rspress-description-generator received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via rspress.config.* file execution, Potential Excessive Permissions due to `root` path resolution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 76880945). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via rspress.config.* file execution The skill describes reading `rspress.config.ts`, `.js`, `.mjs`, or `.cjs` files and 'determining the resolved directory path' for the `root` option, even if it's a 'JS expression (`root: path.join(__dirname, 'docs')`)'. If the skill executes these JavaScript/TypeScript files to resolve the `root` option, it introduces a critical command injection vulnerability. A malicious `rspress.config.js` could contain arbitrary code that would be executed by the skill, leading to arbitrary code execution on the host system. The skill must not execute arbitrary JavaScript/TypeScript config files. Instead, it should use a safe, static parsing method (e.g., Abstract Syntax Tree parsing) to extract the `root` value without executing any code. If dynamic resolution is absolutely necessary, it must be done within a strictly sandboxed environment that prevents file system access, network calls, or process execution. | LLM | SKILL.md:19 | |
| HIGH | Potential Excessive Permissions due to `root` path resolution The skill determines a 'docs root' based on the `root` option in `rspress.config.*` files. While it mentions resolving paths 'relative to the config file's directory,' if the `root` option can be manipulated (e.g., via `path.join(__dirname, '../../../../sensitive_dir')` or similar path traversal techniques within the JS expression) to point outside the intended documentation directory, the skill's subsequent file system operations (globbing, reading, writing) could affect sensitive files or directories. This risk is amplified if the command injection vulnerability (SS-LLM-003) is present, allowing a malicious config to define an arbitrary `root` path. Implement strict path sanitization and validation for the resolved `root` directory. Ensure the resolved path remains strictly within the expected project boundaries and cannot traverse upwards or to arbitrary system locations. If the `root` is resolved dynamically, ensure the resolution process itself is sandboxed and cannot access or modify files outside the intended scope. | LLM | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/4f97daa859ffe4d1)
Powered by SkillShield