Trust Assessment
topviewai/skill:root received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 1 critical, 3 high, 11 medium, and 1 low severity. Key findings include Covert behavior / concealment directives, Suspicious import: requests, Potential data exfiltration: file read + network send.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 29/100, indicating areas for improvement.
Last analyzed on March 24, 2026 (commit 9080db50). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary local file upload leading to data exfiltration The skill explicitly allows the agent to upload local files specified by the user (e.g., `--image`, `--audio`). The `resolve_local_file` function in `scripts/shared/upload.py` checks if a given argument is a local file path and, if so, uploads its content to the Topview API. An attacker could craft a prompt to the LLM to pass paths to sensitive files (e.g., `~/.topview/credentials.json`, `/etc/passwd`, `~/.ssh/id_rsa`) as arguments to skill functions like `avatar4.py --image /etc/passwd`. The `detect_format` function only checks the file extension, which can be easily bypassed by renaming a sensitive file. This allows for arbitrary data exfiltration from the agent's host system. Implement a strict allowlist for file extensions and/or file paths that can be uploaded. Do not allow arbitrary file paths from user input. If file content is needed, use a dedicated file picker tool or ensure the LLM only operates on files it has explicitly created or been given access to within a confined directory. | LLM | scripts/shared/upload.py:50 | |
| HIGH | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | SKILL.md:31 | |
| HIGH | Potential data exfiltration: file read + network send Function 'put_file' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | scripts/shared/client.py:124 | |
| HIGH | Path traversal vulnerability in file download functions Several skill scripts (e.g., `avatar4.py`, `product_avatar.py`, `remove_bg.py`, `text2voice.py`, `video_gen.py`) include `download_file` or `download_video` functions that write to a local path specified by `args.output`. If the `args.output` parameter can be controlled by untrusted user input, an attacker could provide a path like `../../../../tmp/malicious.sh` to write files to arbitrary locations on the agent's filesystem. This could lead to overwriting critical system files or placing malicious scripts in executable paths. Sanitize the `output` path argument to prevent path traversal. Ensure that the output path is always within a designated, sandboxed directory, or only allow a filename without directory components. | LLM | scripts/avatar4.py:100 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/ai_image.py:278 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/auth.py:26 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/avatar4.py:106 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/product_avatar.py:131 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/remove_bg.py:83 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/shared/client.py:7 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/text2voice.py:105 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/video_gen.py:413 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.28.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dotenv>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | scripts/requirements.txt:2 | |
| MEDIUM | Unpinned dependencies in `requirements.txt` The `scripts/requirements.txt` file specifies dependencies with minimum versions (`requests>=2.28.0`, `python-dotenv>=1.0.0`) but does not pin them to exact versions. This introduces a supply chain risk where future installations could pull in newer, potentially vulnerable, or incompatible versions of these libraries. While `requests` and `python-dotenv` are widely used, this practice is generally discouraged for production environments as it can lead to non-reproducible builds and unexpected behavior or security issues if a dependency introduces a breaking change or vulnerability in a later version. Pin all dependencies to exact versions (e.g., `requests==2.28.1`). Use a tool like `pip-compile` or `pip freeze > requirements.txt` to generate a fully pinned `requirements.txt` file. | LLM | scripts/requirements.txt:1 | |
| LOW | Use of `webbrowser.open()` in a potentially headless agent environment The `scripts/auth.py` script uses `webbrowser.open(verification_url)` to automatically open the authorization URL in a browser. While the `SKILL.md` instructs the LLM to extract and send this URL to the user (mitigating the user-facing impact), the script itself still attempts to launch a browser on the agent's host. In a headless or containerized agent environment, this action is unnecessary, will likely fail, and could consume resources or lead to unexpected errors. It represents an excessive permission for a headless agent. For agent environments, remove or disable the `webbrowser.open()` call. The LLM is already instructed to extract and provide the URL to the user, making the agent's local browser action redundant and potentially problematic. The `--no-browser` flag is a good start, but it should be the default for agent execution. | LLM | scripts/auth.py:198 |
Scan History
Embed Code
[](https://skillshield.io/report/26fcbd4a209c563a)
Powered by SkillShield