Security Audit

build-workspace-docs

github.com/skillcreatorai/Ai-Agent-Skills

AI SkillCommit 039ad59e2a12

TRUSTED

Scanned 3 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

build-workspace-docs received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Skill instructs direct shell command execution, Unpinned `npx` dependency for `ai-agent-skills`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on June 1, 2026 (commit 039ad59e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

2 findings

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unpinned `npx` dependency for `ai-agent-skills` The skill uses `npx ai-agent-skills` without specifying a version. This means that every execution will fetch the latest version of the `ai-agent-skills` package from the npm registry. If a malicious update is published to this package, the skill would unknowingly execute compromised code, leading to potential command injection, data exfiltration, or other severe security breaches. Pin the version of the `ai-agent-skills` package when using `npx` (e.g., `npx ai-agent-skills@4.1.0 build-docs`). Regularly review and update the pinned version to incorporate security fixes and new features.	LLM	SKILL.md:17
MEDIUM	Skill instructs direct shell command execution The skill's documentation instructs the LLM to execute `npx ai-agent-skills build-docs` commands directly in the shell. This grants the LLM the ability to run arbitrary commands on the host system if the `ai-agent-skills` package is compromised or if the LLM is prompted to modify the command. While the commands themselves are for documentation generation, direct shell execution always carries inherent risks. Evaluate the necessity of direct shell execution. If required, ensure robust input validation and consider sandboxing the execution environment. For `npx`, consider pinning the version to mitigate supply chain risks.	LLM	SKILL.md:17

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0518beaa2aa2352b.svg)](https://skillshield.io/report/0518beaa2aa2352b)