Trust Assessment
vercel-optimize received a trust score of 28/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Prompt Injection Attempt (Security Instruction), Command Injection via `process.chdir` with untrusted argument, Command Injection / Path Traversal via `rootDir` from untrusted argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 18011566). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection Attempt (Security Instruction) The skill's untrusted `SKILL.md` body contains direct instructions to the host LLM regarding security practices, specifically warning against leaking authentication tokens in shell commands. While the instruction itself is a good security practice, its presence within untrusted content constitutes a prompt injection attempt, as it tries to control the LLM's behavior from an untrusted source. The LLM should not follow instructions embedded in untrusted content. Remove all instructions intended for the host LLM from the untrusted skill content. LLM behavior should be governed by system-level instructions, not user-provided or skill-provided content. | LLM | SKILL.md:30 | |
| HIGH | Command Injection via `process.chdir` with untrusted argument The `scripts/deep-dive.mjs` script uses `process.chdir(explicitCwd)` where `explicitCwd` is parsed directly from `process.argv`. If the LLM is prompted to provide a malicious value for the `--cwd` argument (e.g., containing path traversal sequences like `../../` or shell metacharacters if the execution environment allows), it could change the working directory to an arbitrary location. This could lead to subsequent file operations or script executions occurring in an unintended and potentially malicious context, enabling arbitrary code execution or unauthorized file access. Sanitize or strictly validate all command-line arguments that are used in file system operations or shell commands. Ensure that paths are canonicalized and restricted to the intended project directory. Consider using a more robust argument parsing library that prevents injection, and implement explicit path validation (e.g., ensuring paths are within a designated sandbox directory). | Static | scripts/deep-dive.mjs:30 | |
| HIGH | Command Injection / Path Traversal via `rootDir` from untrusted argument The `scripts/scan-codebase.mjs` script takes `rootDir` directly from `process.argv[2]`. This `rootDir` is then used in critical file system operations like `collectFiles(rootDir)` and `enumerateRoutes(rootDir)`. If the LLM is prompted to provide a malicious value for this argument (e.g., path traversal sequences like `../../` or an absolute path to a sensitive directory), it could lead to unauthorized reading of arbitrary files on the system or execution of scripts in an unintended context. Sanitize or strictly validate all command-line arguments that are used in file system operations. Ensure that `rootDir` is canonicalized and restricted to the intended project directory. Implement explicit path validation (e.g., ensuring paths are within a designated sandbox directory) before using them in file system calls. | Static | scripts/scan-codebase.mjs:15 | |
| MEDIUM | Excessive File System Read Permissions (Repo-wide Scan) The `scripts/scan-codebase.mjs` script, through its `collectFiles` and `enumerateRoutes` functions, performs a recursive scan and reads the content of numerous files within the `rootDir`. While the skill's `SKILL.md` doctrine states 'Read only files named by a candidate or a route-local import chain,' this script performs a broader, repo-wide scan. If the `rootDir` argument (which comes from `process.argv[2]`) can be manipulated via prompt injection, this broad access could be exploited to read sensitive files outside the intended project scope, leading to data exfiltration. Implement strict path validation for `rootDir` to ensure it remains within the intended project boundaries. If possible, narrow the scope of file collection to only necessary files or directories, rather than a full recursive scan. Ensure that any content read from files is handled securely and not exposed unnecessarily. | Static | scripts/scan-codebase.mjs:109 | |
| MEDIUM | Excessive File System Read Permissions (Sub-agent Output Collection) The `scripts/collect-sub-agent-outputs.mjs` script, through its `collectInputFiles` and `walkDir` functions, recursively reads files from specified input paths. While these paths are typically within a temporary `RUN_DIR`, if the `args.inputs` or `args.manifestPath` (which can contain `sourcePath` values) arguments can be manipulated via prompt injection to point to sensitive directories, this broad access could be exploited to read arbitrary files on the system, leading to data exfiltration. Implement strict path validation for all input paths to ensure they remain within the intended temporary or project boundaries. Ensure that any content read from files is handled securely and not exposed unnecessarily. If `sourcePath` values in the manifest can be influenced by untrusted input, validate them rigorously. | Static | scripts/collect-sub-agent-outputs.mjs:110 |
Scan History
Embed Code
[](https://skillshield.io/report/56d4c15e534d3ed2)
Powered by SkillShield