Security Audit
cursor-subagent-creator
github.com/tech-leads-club/agent-skillsTrust Assessment
cursor-subagent-creator received a trust score of 90/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Path Traversal in Subagent Filename.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit f4b5c7d6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Path Traversal in Subagent Filename The skill instructs the LLM to create a file at a path derived from user input: `.cursor/agents/[agent-name].md`. If the `[agent-name]` is taken directly from unsanitized user input, an attacker could use path traversal sequences (e.g., `../../`) to write files to arbitrary locations on the filesystem. This could lead to overwriting critical system files, creating malicious executables in unexpected locations, or other severe consequences. While the skill suggests a 'kebab-case' naming convention, it does not explicitly state that the `[agent-name]` will be sanitized or validated against path traversal attempts before being used in the file path. Ensure that the `[agent-name]` derived from user input is strictly validated to prevent path traversal characters (e.g., `.` or `/`) and is constrained to be a simple filename before being used in the file path. Programmatically enforce the 'kebab-case' naming convention and sanitize any user-provided filename. | LLM | SKILL.md:275 |
Scan History
Embed Code
[](https://skillshield.io/report/674f09f3c06cd514)
Powered by SkillShield