Trust Assessment
done received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 1 critical, 2 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $HOME, Arbitrary Shell Command Execution in Markdown.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 15, 2026 (commit 1823c3f6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Shell Command Execution in Markdown The skill's `SKILL.md` contains a direct shell command (`!s="done"; for d in ...`) embedded in the markdown. If the agent's execution environment interprets this markdown as executable code, it allows for arbitrary command injection. This specific command attempts to read files from `$HOME/.claude/skill-memories`, which could contain sensitive data. Remove direct shell command execution from markdown. Implement any necessary functionality within a securely designed and sandboxed script or skill, ensuring all inputs are validated and sanitized. | LLM | SKILL.md:7 | |
| HIGH | Unsanitized User Input Passed to Sub-Skills The skill passes the user-provided `incrementId` directly into invocations of other skills (e.g., `/sw:qa ${incrementId}`). If these invoked skills use `incrementId` in shell commands, file paths, or other contexts without proper sanitization, it could lead to command injection, path traversal, or other vulnerabilities in the downstream skills. Ensure all user-provided arguments, such as `incrementId`, are strictly validated and sanitized (e.g., whitelisting allowed characters, escaping shell metacharacters) before being passed to any sub-skills or used in contexts that could lead to command execution or file system interaction. | LLM | SKILL.md:130 | |
| HIGH | Potential for Unauthorized GitHub Actions via Unsanitized External Reference The skill uses `gh issue close -R` to close GitHub issues, deriving the repository from `metadata.external_ref`. If `metadata.external_ref` can be influenced by untrusted input, an attacker could potentially manipulate the target repository, leading to unauthorized actions (e.g., closing issues in arbitrary repositories) if the agent possesses the necessary GitHub permissions. Implement strict validation and sanitization for `metadata.external_ref` to ensure it only references authorized repositories. Additionally, enforce robust access control checks before executing `gh issue close -R` to prevent unauthorized repository manipulation. | LLM | SKILL.md:114 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | plugins/specweave/skills/done/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | plugins/specweave/skills/done/SKILL.md:6 | |
| MEDIUM | Unverified Bash Script Execution in Manifest Hook The skill's manifest defines a `Stop` hook that executes a bash script (`plugins/specweave/hooks/v2/guards/completion-guard.sh`). Without access to the script's source code, it's impossible to verify if it securely handles all inputs (e.g., environment variables, skill arguments, file contents). This creates a potential command injection vulnerability if the script is not securely implemented. Provide the source code for `plugins/specweave/hooks/v2/guards/completion-guard.sh` for security review. Ensure the script rigorously validates and sanitizes all inputs before using them in shell commands or file operations. | LLM | Manifest:4 |
Scan History
Embed Code
[](https://skillshield.io/report/a8f2697e3a1c26da)
Powered by SkillShield