Security Audit

Cross-Site Scripting and HTML Injection Testing

Partial VerificationCommit 9f5351e844df

CAUTION

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

This report is partially verified. Deterministic layers ran, but LLM behavioral analysis (L4) was not executed for this scan.

The current score of 55/100 is provisional and may change after a full L4 verification run.

Last analyzed on February 20, 2026 (commit 9f5351e8). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Manifest Analysis

55%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral SafetyNot run

—

Severity	Finding	Layer	Location
HIGH	Covert behavior / concealment directives HTML comment containing suspicious keywords Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	skills/xss-html-injection/SKILL.md:57
HIGH	Covert behavior / concealment directives HTML comment containing suspicious keywords Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	skills/xss-html-injection/SKILL.md:118
HIGH	Covert behavior / concealment directives HTML comment containing suspicious keywords Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	skills/xss-html-injection/SKILL.md:236