Trust Assessment
nx-workspace received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Information Disclosure via `nx show project --json`.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit f4b5c7d6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Potential Information Disclosure via `nx show project --json` The skill explicitly recommends using `nx show project <name> --json` to retrieve the 'full resolved configuration' of an Nx project, labeling this recommendation as 'Critical'. While this command is intended for introspection, if an Nx workspace's project configuration files (`project.json`, `nx.json`) contain sensitive information (e.g., paths to secret files, internal network addresses, specific build commands revealing proprietary tools, or environment variables), then executing this command with an attacker-controlled project name could lead to the disclosure of this sensitive internal configuration data. The skill's emphasis on using this command for 'full resolved configuration' increases the likelihood of an agent using it in a way that could expose such data. Implement strict input validation and sanitization for project names provided by untrusted sources before executing `nx show project`. Additionally, ensure that Nx project configuration files do not contain sensitive credentials or paths that should not be exposed; use environment variables or dedicated secret management systems for such data. The skill could also add a warning about the potential for sensitive information disclosure if project configurations contain secrets, advising against using this command with untrusted input without proper sanitization. | Unknown | SKILL.md:27 |
Scan History
Embed Code
[](https://skillshield.io/report/9698ac541adc6c51)
Powered by SkillShield