Security Audit

nx-workspace

github.com/tech-leads-club/agent-skills

AI SkillCommit f4b5c7d699b8

TRUSTED

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

nx-workspace received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Information Disclosure via `nx show project --json`.

The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit f4b5c7d6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

1 finding

Security Findings1

Severity	Finding	Layer	Location
MEDIUM	Potential Information Disclosure via `nx show project --json` The skill explicitly recommends using `nx show project <name> --json` to retrieve the 'full resolved configuration' of an Nx project, labeling this recommendation as 'Critical'. While this command is intended for introspection, if an Nx workspace's project configuration files (`project.json`, `nx.json`) contain sensitive information (e.g., paths to secret files, internal network addresses, specific build commands revealing proprietary tools, or environment variables), then executing this command with an attacker-controlled project name could lead to the disclosure of this sensitive internal configuration data. The skill's emphasis on using this command for 'full resolved configuration' increases the likelihood of an agent using it in a way that could expose such data. Implement strict input validation and sanitization for project names provided by untrusted sources before executing `nx show project`. Additionally, ensure that Nx project configuration files do not contain sensitive credentials or paths that should not be exposed; use environment variables or dedicated secret management systems for such data. The skill could also add a warning about the potential for sensitive information disclosure if project configurations contain secrets, advising against using this command with untrusted input without proper sanitization.	Unknown	SKILL.md:27

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9698ac541adc6c51.svg)](https://skillshield.io/report/9698ac541adc6c51)