Security Audit

azure-mgmt-apicenter-dotnet

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

azure-mgmt-apicenter-dotnet received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Covert behavior / concealment directives, Potential Local File Inclusion via file read.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

85%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Filesystem Write

1 finding

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	skills/azure-mgmt-apicenter-dotnet/SKILL.md:279
MEDIUM	Potential Local File Inclusion via file read The skill demonstrates reading a local file (`orders-api.yaml`) using `File.ReadAllTextAsync`. If the filename or path for this operation can be influenced by untrusted user input, it could lead to Local File Inclusion (LFI), allowing an attacker to read arbitrary files from the agent's filesystem. While the example uses a hardcoded filename, the presence of this capability in a skill context warrants caution, as an agent's implementation might dynamically generate this path based on user input. Ensure that any file paths provided to `File.ReadAllTextAsync` are either hardcoded, come from trusted sources, or are strictly validated and sandboxed to prevent reading arbitrary files. If the OpenAPI specification is user-provided, consider passing the content directly as a string rather than a file path to avoid filesystem access.	LLM	SKILL.md:160

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ca5fe3b7cf4b6ac5.svg)](https://skillshield.io/report/ca5fe3b7cf4b6ac5)