100Critical
The skill enables arbitrary code execution and supply chain attacks by allowing script
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Scientific Analysis & Reporting: Before analyzing data, map the scientific context of the repository: - **Dependency & Logic Scan**: Check `pyproject.toml` for libraries and `main.py` (or equivalent) for the execution flow. - **Consult References**: Check the `references/` directory for background materials, standard definitions (e.g., NEMA, IEC), or methodology specifications. Use these files to define terms and expected behaviors. - **Identify Physical Models**: Locate the core logic defining the system (constants, equations like Inverse Square Law, statistical models). - **Locate Data**: All experimental and simulation data is stored in `data/` with comprehensive filenames (e.g., `data/radial_positions_10min_run.csv`). Always inspect file headers to confirm units and column definitions. - **Locate Assets**: All assets like images or plots are stored in `assets/` with comprehensive filenames.
Actually does
This skill reads local files such as `pyproject.toml`, `main.py`, and content from `references/`, `data/`, and `assets/` directories. It can execute Python scripts using `uv run` and install packages with `uv add` to perform data analysis. The skill then generates a structured Markdown report, `docs/analysis-report.md`, summarizing its findings.
Skill Info
Nameryanchen01/documentation-skills/analysis-report
Registrygithub
Version9a6c53142c11
PURLpkg:github/ryanchen01/documentation-skills@9a6c53142c11?skill=analysis-report
Source
SHA-256c76b8aa3f1cd...
SHA-131d5563b4024...
MD573754a5de723...
TLSH6ab1d9143bd4...
ssdeep96:ksgSKqpOL...
Size5,136 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Claude CodeDocs
/plugin marketplace add ryanchen01/documentation-skills/plugin install analysis-report@ryanchen01/documentation-skillsclaude-marketplace
https://github.com/ryanchen01/documentation-skills
Skills.shDocs
npx skills add https://github.com/ryanchen01/documentation-skillsAssessments (1)
AI Agent Traps ↗Arbitrary code execution via script generation/executionhighcommand execution
The skill explicitly allows running existing analysis scripts and writing new Python files/scripts for execution. This grants the agent arbitrary code execution capabilities, which can be exploited for malicious purposes.
100% confidenceline 20
run analysis scripts (e.g., uv run main.py), write new Python files/scripts for analyzing data
Supply chain attack vector via package installationcriticalsupply chain
The skill allows the agent to install arbitrary external packages using `uv add <package>`. This introduces a significant supply chain risk, enabling the agent to pull and execute malicious code from external repositories.
100% confidenceline 20
uv add <package>
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/ryanchen01/documentation-skills/analysis-report)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/ryanchen01/documentation-skills/analysis-report"><img src="https://mondoo.com/ai-agent-security/api/badge/github/ryanchen01/documentation-skills/analysis-report.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/ryanchen01/documentation-skills/analysis-report.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow