Security Audit

writing-skills

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

writing-skills received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 5 findings: 3 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Path Traversal in Skill Directory Argument Leading to Arbitrary File Read/Write, Command Injection Risk via Untrusted Input to Graphviz 'dot' Executable.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

10%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

2 findings

Shell Execution

5 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/writing-skills/render-graphs.js:18
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/writing-skills/render-graphs.js:72
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/writing-skills/render-graphs.js:112
HIGH	Path Traversal in Skill Directory Argument Leading to Arbitrary File Read/Write The `render-graphs.js` script constructs file paths using a command-line argument (`skillDirArg`) without sufficient validation. An attacker can provide a path traversal sequence (e.g., `../../../../etc`) as `skillDirArg`. This allows the script to read `SKILL.md` from arbitrary locations (e.g., `/etc/passwd` if a symlink or file named `SKILL.md` exists there), leading to data exfiltration. Furthermore, it allows writing generated SVG and DOT files to arbitrary directories (e.g., `/etc/diagrams`), which could lead to denial of service, privilege escalation, or other system compromise depending on the target directory's permissions and system configuration. This exposes the system to both data exfiltration and excessive permissions risks. Implement robust validation for `skillDirArg`. Ensure that the resolved path (`skillDir`) is strictly confined to an expected base directory (e.g., a dedicated skills repository root) and does not escape it. For example, after `path.resolve`, verify that `skillDir` starts with the expected base path and does not contain `..` segments that would lead outside the allowed scope. Alternatively, use a library designed for secure path handling or run the script in a chrooted environment.	LLM	render-graphs.js:59
HIGH	Command Injection Risk via Untrusted Input to Graphviz 'dot' Executable The `render-graphs.js` script executes the external `dot` command via `child_process.execSync`, passing `dotContent` (extracted from the untrusted `SKILL.md` file) as standard input. While the command string `dot -Tsvg` is hardcoded, `dot` is a complex native executable that processes a specialized language. A malicious `SKILL.md` could contain specially crafted `dotContent` designed to exploit vulnerabilities (e.g., buffer overflows, parsing flaws, or unexpected behavior) within the `graphviz` `dot` program. Such an exploit could lead to arbitrary code execution, denial of service, or other system compromises on the host running the script. This represents a command injection vector through a third-party dependency. To mitigate this risk: 1. Input Sanitization/Validation: Implement strict validation or sanitization of the `dotContent` to ensure it conforms to a safe subset of the Graphviz DOT language. This is challenging due to the complexity of DOT. 2. Sandboxing: Execute the `dot` command within a highly restricted sandbox environment (e.g., a container, `chroot`, or `seccomp` filters) that limits its access to the filesystem, network, and other system resources. 3. Least Privilege: Ensure the `render-graphs.js` script and the `dot` executable run with the absolute minimum necessary user and process permissions. 4. Regular Updates: Keep the `graphviz` package updated to the latest version to benefit from security patches.	LLM	render-graphs.js:49

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/67ce4b6dbdc4c942.svg)](https://skillshield.io/report/67ce4b6dbdc4c942)