Security Audit
gh-address-comments
github.com/davila7/claude-code-templatesTrust Assessment
gh-address-comments received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Untrusted skill description contains direct instructions for LLM.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted skill description contains direct instructions for LLM The entire `SKILL.md` content is marked as untrusted input, yet it contains explicit instructions for the LLM on how to operate, such as 'Guide to find the open PR...', 'Run scripts/fetch_comments.py', 'Ask the user for clarification', and 'Apply fixes for the selected comments'. This attempts to manipulate the host LLM's behavior using untrusted data, which is a direct prompt injection vulnerability. Move LLM instructions out of the untrusted skill description into a trusted prompt template or system instruction. The untrusted content should only describe the skill's capabilities, not dictate the LLM's actions. | LLM | SKILL.md:3 | |
| HIGH | Arbitrary command execution via PostToolUse hook The skill's manifest defines a `PostToolUse` hook of type `command`. This allows for the execution of arbitrary shell commands on the host system after a tool use. While the current command (`echo "[$(date)] GH Address Comments: Executed gh command to address PR comments" >> ~/.claude/gh-address-comments.log`) is benign, this mechanism presents a direct command injection vulnerability if the command string were to be dynamically constructed or changed to something malicious. Avoid using `command` type hooks for arbitrary shell execution. If shell execution is absolutely necessary, use a more constrained and sandboxed execution environment, or ensure commands are strictly whitelisted and parameterized, preventing injection. | LLM | Manifest | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Skill requests escalated sandbox permissions The untrusted `SKILL.md` explicitly instructs the LLM to 'Run all `gh` commands with elevated network access' and to 'rerun it with `sandbox_permissions=require_escalated`'. This indicates a request for broad and potentially excessive system permissions, which could be abused if the skill's actions are compromised or malicious. Review and minimize the requested permissions to only what is strictly necessary for the skill's intended function. Avoid requesting `require_escalated` unless absolutely critical and justified, and ensure such requests are handled securely by the host environment. | LLM | SKILL.md:7 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/a4b34ccd8aeb12d8)
Powered by SkillShield