Security Audit
finishing-a-development-branch
github.com/davila7/claude-code-templatesTrust Assessment
finishing-a-development-branch received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Potential Command Injection via Unsanitized Placeholders in Git Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Unsanitized Placeholders in Git Commands The skill defines several Git commands that use placeholders such as `<base-branch>`, `<feature-branch>`, and `<worktree-path>`. If the values for these placeholders are derived from untrusted user input and are not properly shell-quoted or sanitized by the host LLM before execution, an attacker could inject arbitrary shell commands. For example, a malicious branch name like `mybranch; rm -rf /` could lead to arbitrary code execution. The host LLM's execution environment must ensure that all dynamic parts of shell commands, especially those derived from user input or potentially untrusted sources, are properly quoted or escaped (e.g., using `shlex.quote` in Python) before being passed to the shell for execution. This applies to `<base-branch>`, `<feature-branch>`, and `<worktree-path>`. | LLM | SKILL.md:49 | |
| HIGH | Potential Command Injection via Unsanitized Title in GitHub PR Creation The skill instructs the LLM to create a GitHub Pull Request using `gh pr create --title "<title>"`. Although the `<title>` placeholder is enclosed in double quotes, if the title content itself contains a double quote or other shell metacharacters, it could break out of the string and allow an attacker to inject and execute arbitrary shell commands. For example, a title like `"my title"; rm -rf /` could lead to command injection. The host LLM's execution environment must ensure that the `<title>` placeholder, when filled, is robustly shell-escaped to prevent breaking out of the double-quoted string. Using a function like `shlex.quote()` on the entire title string before embedding it in the command is recommended. | LLM | SKILL.md:70 | |
| HIGH | Potential Command Injection via Direct Execution of Unsanitized Test Command The skill specifies the execution of a generic `<test command>` at multiple points (e.g., 'Run project's test suite', 'Verify tests on merged result'). If the specific test command chosen by the LLM is constructed from untrusted input or user-provided configuration without proper sanitization, it presents a direct command injection vulnerability, allowing an attacker to execute arbitrary code. The host LLM's implementation must ensure that any `<test command>` executed is either hardcoded, selected from a predefined safe list, or, if dynamically constructed, that all its components are rigorously sanitized and shell-escaped to prevent command injection. | LLM | SKILL.md:26 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/8fc7fe57ee361e61)
Powered by SkillShield