Trust Assessment
tdd-red received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $HOME, Shell command execution and file reading from user's home directory.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 1823c3f6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Shell command execution and file reading from user's home directory The skill executes a shell command that iterates through user's skill memory directories (`.specweave/skill-memories`, `.claude/skill-memories`, `$HOME/.claude/skill-memories`) and attempts to read content from `.md` files within them using `awk`. This constitutes a command injection vulnerability, as the skill can execute arbitrary shell commands. Furthermore, reading files from the user's home directory without explicit user consent or a clear, sandboxed purpose is a data exfiltration risk and an excessive permission request. Remove the direct shell command execution. If skill memories or configuration are needed, they should be accessed through secure, sandboxed APIs provided by the LLM platform, not via direct shell execution and arbitrary file system access. Ensure any file access is strictly limited to the skill's designated workspace and explicitly approved by the user. | LLM | SKILL.md:6 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | plugins/specweave/skills/tdd-red/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | plugins/specweave/skills/tdd-red/SKILL.md:6 |
Scan History
Embed Code
[](https://skillshield.io/report/b8323aae68f334a0)
Powered by SkillShield