Security Audit

affaan-m/everything-claude-code:docs/ja-JP/skills/cpp-testing

github.com/affaan-m/everything-claude-code

AI SkillCommit 9a478ad67605

CAUTION

Scanned 18 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

affaan-m/everything-claude-code:docs/ja-JP/skills/cpp-testing received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via FetchContent_Declare URL.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 20, 2026 (commit 9a478ad6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings1

Severity	Finding	Layer	Location
MEDIUM	Potential Command Injection via FetchContent_Declare URL The `CMakeLists.txt` snippet demonstrates fetching external content using `FetchContent_Declare` with a URL that includes a variable `${GTEST_VERSION}`. While `GTEST_VERSION` is hardcoded to `v1.17.0` in this example, the accompanying comment `# プロジェクトポリシーに合わせて調整します。` (adjust according to project policy) suggests it is intended to be configurable. If an AI agent allows untrusted user input to define `GTEST_VERSION` without strict validation and sanitization, a malicious string containing shell metacharacters could be injected into the URL. If the underlying `FetchContent` mechanism uses a shell command (e.g., `curl` or `wget`) to fetch the URL and does not properly escape the URL string, this could lead to arbitrary command execution on the host system. This also presents a supply chain risk if a malicious version or URL is injected. When constructing CMake files, ensure that any variables derived from untrusted input used in `FetchContent_Declare` URLs are strictly validated and sanitized to prevent shell metacharacters or other malicious content. Consider using a whitelist of allowed versions, a hash verification mechanism for fetched content, or ensuring that the underlying fetch mechanism properly escapes URL components before execution.	LLM	SKILL.md:108

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/4a848a02c802545b.svg)](https://skillshield.io/report/4a848a02c802545b)