tool-creator
Facilitates the creation of executable tool files for the Claude Code framework, enhancing automation and utility development.
Install this skill
or
64/100
Security score
The tool-creator skill was audited on May 12, 2026 and we found 8 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
medium line 154
Template literal with variable interpolation in command context
SourceSKILL.md
| 154 | throw new Error(`Invalid category. Must be one of: ${validCategories.join(', ')}`); |
medium line 161
Template literal with variable interpolation in command context
SourceSKILL.md
| 161 | const toolPath = `.claude/tools/${args.category}/${toolName}.cjs`; |
medium line 164
Template literal with variable interpolation in command context
SourceSKILL.md
| 164 | await mkdir(`.claude/tools/${args.category}`, { recursive: true }); |
medium line 167
Template literal with variable interpolation in command context
SourceSKILL.md
| 167 | const content = `#!/usr/bin/env node |
medium line 201
Template literal with variable interpolation in command context
SourceSKILL.md
| 201 | const newEntry = `| ${toolName} | ${args.description} | .claude/tools/${args.category}/${toolName}.cjs | active |`; |
medium line 392
Node child_process module reference
SourceSKILL.md
| 392 | - **`shell: false` for child processes**: Any `child_process.spawn` or `execFile` call uses `shell: false` with array arguments (never `shell: true` per SE-security rules) |
medium line 121
Webhook reference - potential data exfiltration
SourceSKILL.md
| 121 | | `integrations` | External integration tools | API clients, webhooks | |
low line 368
External URL reference
SourceSKILL.md
| 368 | - Direct API: `WebFetch({ url: 'https://arxiv.org/search/?query=<topic>&searchtype=all&start=0' })` |
Scanned on May 12, 2026
View Security Dashboard