Security Audit
cursor-subagent-creator
github.com/tech-leads-club/agent-skillsTrust Assessment
cursor-subagent-creator received a trust score of 90/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Path Traversal in Subagent Filename.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit f4b5c7d6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Path Traversal in Subagent Filename The skill instructs the LLM to create a file at a path derived from user input: `.cursor/agents/[agent-name].md`. If the `[agent-name]` is taken directly from unsanitized user input, an attacker could use path traversal sequences (e.g., `../../`) to write files to arbitrary locations on the filesystem. This could lead to overwriting critical system files, creating malicious executables in unexpected locations, or other severe consequences. While the skill suggests a 'kebab-case' naming convention, it does not explicitly state that the `[agent-name]` will be sanitized or validated against path traversal attempts before being used in the file path. Ensure that the `[agent-name]` derived from user input is strictly validated to prevent path traversal characters (e.g., `.` or `/`) and is constrained to be a simple filename before being used in the file path. Programmatically enforce the 'kebab-case' naming convention and sanitize any user-provided filename. | Unknown | SKILL.md:275 |
Scan History
Embed Code
[](https://skillshield.io/report/674f09f3c06cd514)
Powered by SkillShield