Trust Assessment
gitops-workflow received a trust score of 71/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Direct execution of remote script with root privileges, Unpinned remote Kubernetes manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 1823c3f6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct execution of remote script with root privileges The skill recommends installing Flux CD by piping the output of a `curl` command directly to `sudo bash`. This practice is highly risky as it executes arbitrary code from a remote source with root privileges. If the remote server (`fluxcd.io`) were compromised, an attacker could execute malicious code on the system where this command is run, leading to a supply chain attack. Avoid piping remote scripts directly to `sudo bash`. Instead, download the script, review its content for malicious code, and then execute it. Alternatively, use a package manager if available, or pin to a specific version/checksum of the script to ensure integrity. | Static | SKILL.md:78 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | plugins/specweave-kubernetes/skills/gitops-workflow/SKILL.md:1 | |
| MEDIUM | Unpinned remote Kubernetes manifest The skill recommends installing ArgoCD by applying a Kubernetes manifest directly from a `stable` URL on GitHub. While `argoproj` is the official source, relying on a non-versioned or non-checksummed URL means the content could change unexpectedly. This introduces a supply chain risk where a compromised `stable` branch or repository could lead to the deployment of malicious or vulnerable configurations without explicit review. Pin the Kubernetes manifest to a specific, immutable version (e.g., a commit hash or a specific release tag) instead of a `stable` branch. Alternatively, download and review the manifest locally before applying it to ensure its integrity and prevent unexpected changes. | Static | SKILL.md:66 |
Scan History
Embed Code
[](https://skillshield.io/report/c71148ebae3b13fb)
Powered by SkillShield