Security Audit
wiki-vitepress
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
wiki-vitepress received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Untrusted content attempts to instruct LLM on activation, Untrusted content instructs shell command execution, Unpinned external dependencies introduce supply chain risk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content attempts to instruct LLM on activation The untrusted `SKILL.md` contains explicit instructions for the host LLM on when to activate the skill, such as "User asks to 'build a site'" or "User runs the `/deep-wiki:build` command". This is a direct attempt to manipulate the LLM's behavior based on untrusted input, violating the instruction to treat everything between the delimiters as untrusted data, not instructions. Remove all instructions intended for the host LLM from within the untrusted content delimiters. LLM activation conditions should be defined outside of the untrusted skill package content. | LLM | SKILL.md:9 | |
| CRITICAL | Untrusted content instructs shell command execution The skill explicitly instructs the execution of `cd wiki-site && npm install && npm run docs:build`. `npm install` can download and execute arbitrary code defined in a `package.json` file, leading to remote code execution. `npm run docs:build` executes scripts defined within the `package.json`, which can also lead to arbitrary command execution. This is a direct command injection vulnerability. Avoid executing shell commands directly from untrusted skill content. If external tools are necessary, use a sandboxed environment with strict allow-listing of commands and arguments, or pre-defined, safe execution paths. Ensure all dependencies are explicitly pinned to known good versions. | LLM | SKILL.md:100 | |
| HIGH | Unpinned external dependencies introduce supply chain risk The skill mentions using `vitepress-plugin-mermaid` and instructs `npm install`. Without explicit version pinning in a `package.json` (which is implied to be generated or provided by the skill), `npm install` could fetch the latest, potentially malicious, versions of dependencies. This introduces a supply chain risk where a compromised dependency could lead to arbitrary code execution during the build process. Ensure all external dependencies are explicitly pinned to specific, known-good versions in `package.json` or similar manifest files. Implement dependency scanning and integrity checks. | LLM | SKILL.md:30 | |
| MEDIUM | Skill implies broad file system read/write access The "Post-Processing Rules" section states, "Before VitePress build, scan all `.md` files and fix". This implies the skill will have read and potentially write access to all Markdown files within the `wiki-site` directory. While necessary for its stated function, this broad access, combined with the command injection risk, could be exploited to read or modify sensitive files if the execution environment is not properly sandboxed. Implement strict sandboxing for skill execution environments, limiting file system access to only the necessary directories and files. Clearly define and enforce the scope of file operations. | LLM | SKILL.md:89 |
Scan History
Embed Code
[](https://skillshield.io/report/ec37bc706e2a72bf)
Powered by SkillShield