Trust Assessment
dependency-updater received a trust score of 15/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Command Injection via unsanitized tool name execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unsanitized tool name execution The `scripts/check-tool.sh` script directly executes the content of the `$TOOL_NAME` variable on line 16 to retrieve its version. If an attacker can control the `TOOL_NAME` argument passed to this script (e.g., through a crafted skill input that eventually invokes this script with malicious `TOOL_NAME`), they can inject arbitrary shell commands, leading to remote code execution. Avoid direct execution of unsanitized input. Instead of `$TOOL_NAME --version`, ensure `TOOL_NAME` is strictly validated against a whitelist of allowed executable names. A safer approach for checking tool existence and version might involve using `command -v "$TOOL_NAME" >/dev/null && "$TOOL_NAME" --version` or `type -P "$TOOL_NAME" >/dev/null && "$TOOL_NAME" --version` after verifying the tool name is safe. | Static | scripts/check-tool.sh:16 | |
| CRITICAL | Command Injection via unsanitized arguments to 'taze' The `scripts/run-taze.sh` script executes `taze "$@"` on line 20, which passes all arguments received by the script directly to the `taze` command. If these arguments originate from untrusted user input without proper sanitization, an attacker can inject arbitrary shell commands, leading to remote code execution. When passing arguments derived from untrusted input, ensure they are properly sanitized or escaped to prevent shell metacharacters from being interpreted as commands. Consider using `exec` with an explicit list of arguments or a library function that handles argument escaping for shell commands, rather than direct shell expansion of `$@`. | Static | scripts/run-taze.sh:20 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 2 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/53e6a572695c49f5)
Powered by SkillShield