Security Audit
Automattic/agent-skills:skills/wp-phpstan
github.com/Automattic/agent-skillsTrust Assessment
Automattic/agent-skills:skills/wp-phpstan received a trust score of 60/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Sensitive Environment Variable Exposure, Git Remote URL Exposure, README.md Content Exposure.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on April 1, 2026 (commit 48d4aa21). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive Environment Variable Exposure The untrusted script `scripts/phpstan_inspect.mjs` reads the `.env` file and extracts the value of `PHPSTAN_MEMORY_LIMIT`. While this specific variable might not be highly sensitive, the capability to read `.env` files and extract arbitrary variables poses a significant data exfiltration risk. A malicious skill could easily be modified to extract sensitive credentials (e.g., `DB_PASSWORD`, `API_KEY`) from the `.env` file. Avoid reading `.env` files directly within untrusted skill scripts. If specific environment variables are required, they should be explicitly passed to the skill by the agent's secure environment, rather than allowing the skill to parse the entire file. Alternatively, sanitize or restrict file system access for untrusted scripts. | Static | scripts/phpstan_inspect.mjs:234 | |
| HIGH | Command Injection via Composer Script Name The `SKILL.md` instructs the agent to execute commands suggested by the untrusted `scripts/phpstan_inspect.mjs` script, specifically `composer run ${scriptName}`. The `scriptName` is derived from the `composer.json` file, which is considered untrusted repository content. If a malicious `composer.json` were present, an attacker could craft a `scriptName` (e.g., `phpstan; rm -rf /`) that, when executed by the agent, would lead to arbitrary command injection. This is a direct command execution vulnerability originating from untrusted input. When executing commands derived from untrusted repository content, ensure that all components of the command (especially script names or arguments) are properly sanitized or validated against a strict allowlist of safe characters and patterns. Avoid direct interpolation of untrusted strings into shell commands. Consider using a more secure method for executing Composer scripts that explicitly separates the script name from potential malicious arguments. | Static | SKILL.md:48 | |
| MEDIUM | Git Remote URL Exposure The untrusted script `scripts/phpstan_inspect.mjs` reads the `.git/config` file and extracts the `remote.origin.url`. For private repositories, this URL can be sensitive information, revealing internal repository locations or private hosting details. Including this in the skill's output constitutes a data exfiltration risk. Avoid reading `.git/config` within untrusted skill scripts. If the repository URL is needed for context, it should be provided by the agent's secure environment, not extracted by the untrusted skill. Alternatively, sanitize or restrict file system access for untrusted scripts. | Static | scripts/phpstan_inspect.mjs:250 | |
| LOW | README.md Content Exposure The untrusted script `scripts/phpstan_inspect.mjs` reads the `README.md` file and includes a truncated version of its content in the output report. While `README.md` files are often public, in private repositories, they might contain sensitive internal documentation or information that should not be exfiltrated. The truncation mitigates the risk but does not eliminate it entirely. Avoid reading arbitrary file content like `README.md` within untrusted skill scripts. If specific information from the README is required, it should be explicitly requested and validated, or provided by the agent's secure environment. Alternatively, sanitize or restrict file system access for untrusted scripts. | Static | scripts/phpstan_inspect.mjs:254 |
Scan History
Embed Code
[](https://skillshield.io/report/fcba5a60577560d6)
Powered by SkillShield