Trust Assessment
theme-factory received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Path Traversal via User-Defined Theme Names.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 6195a031). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Potential Path Traversal via User-Defined Theme Names The skill allows users to 'Create your Own Theme' and instructs the agent to 'Give the theme a similar name' based on user inputs. If this user-provided name is subsequently used to construct file paths for storing or retrieving the generated theme within the `themes/` directory without proper sanitization, it could lead to a path traversal vulnerability. An attacker could inject directory traversal sequences (e.g., `../../`) into the theme name, potentially causing the agent to write to or read from files outside the intended `themes/` directory, leading to unauthorized file access or modification. Ensure that any user-provided input used to construct file paths (e.g., for new theme names) is strictly sanitized to prevent directory traversal attacks. This includes validating the input against a whitelist of allowed characters or using robust path normalization functions. The underlying file system access tools should enforce strict sandboxing to limit file operations to designated directories. | Unknown | SKILL.md:39 |
Scan History
Embed Code
[](https://skillshield.io/report/2d114cfd98aa1f62)
Powered by SkillShield