Trust Assessment
Post-Merge Pull received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill definition, sourced from untrusted input, dictates arbitrary shell command execution, Execution of `make install` from untrusted skill without `Makefile` context.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on April 1, 2026 (commit 388d7666). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill definition, sourced from untrusted input, dictates arbitrary shell command execution The entire skill definition, including the shell commands to be executed, is provided within content explicitly marked as untrusted (between `<!---UNTRUSTED_INPUT_START...--->` and `<!---UNTRUSTED_INPUT_END...--->`). Despite being marked as untrusted, the system is designed to parse and execute these commands as part of the skill's functionality. This represents a direct command injection vulnerability, allowing an attacker to define and execute arbitrary shell commands on the host system by providing a malicious skill definition. All commands listed under 'Steps' (e.g., `git pull`, `make install`) are directly sourced from this untrusted input. Skill definitions must be treated as trusted code or undergo rigorous sandboxing and validation if sourced from untrusted input. The framework should prevent the execution of commands directly extracted from content explicitly marked as untrusted. If `SKILL.md` is intended to be a *description* of a skill, the actual executable logic should reside in a trusted, separate component. | LLM | SKILL.md:15 | |
| HIGH | Execution of `make install` from untrusted skill without `Makefile` context The skill executes `make install` as part of its operation. The `Makefile` that this command would invoke is not provided in the analysis context. This means the exact actions performed by `make install` are unknown. If the `Makefile` is malicious, or if it fetches and executes untrusted code (e.g., from a compromised repository or unpinned dependencies), it could lead to arbitrary code execution and supply chain compromise. The command itself is defined within untrusted content, exacerbating the risk. Provide the `Makefile` for analysis to assess its safety. Ensure that `make install` targets are well-defined, do not execute arbitrary code, and use pinned dependencies. If the skill definition is untrusted, `make` commands should be disallowed or heavily sandboxed. | LLM | SKILL.md:26 |
Scan History
Embed Code
[](https://skillshield.io/report/3ea0ad6111f83c1b)
Powered by SkillShield