Security Audit

gh-fix-ci

github.com/davila7/claude-code-templates

AI SkillCommit 458b11867eae

CAUTION

Scanned 3 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

gh-fix-ci received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Broad GitHub CLI permissions requested.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

91%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

10%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

3 findings

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Arbitrary file write via unsanitized path in `gh api` command The manual fallback workflow includes the command `gh api "/repos/<owner>/<repo>/actions/jobs/<job_id>/logs" > "<path>"`. If the `<path>` variable is derived from untrusted input (e.g., from `detailsUrl` or other user-controlled data), an attacker could specify an arbitrary file path. This allows for arbitrary file writes, which can lead to privilege escalation (e.g., overwriting system files), data exfiltration (e.g., writing sensitive logs to a publicly accessible location), or denial of service. Never construct file paths from untrusted input without strict validation and sanitization. Ensure that any file write operations target secure, temporary locations with restricted permissions. When executing commands, capture stdout using `subprocess.PIPE` and then write the content to a controlled, secure file path.	LLM	SKILL.md:45
CRITICAL	Potential arbitrary code execution from 'approved plan' Step 7 of the workflow states "Apply the approved plan." The skill's purpose is to "create a fix plan and implement after user approval." If the "plan" can contain arbitrary commands or code, and the skill executes this content, it represents a direct path to arbitrary code execution. While user approval is mentioned, the mechanism of "applying" the plan is critical. A malicious plan, even if "approved" by a user who doesn't fully understand its implications, could lead to severe compromise. The "plan" execution mechanism must be strictly sandboxed and limited to a predefined set of safe operations (e.g., specific file modifications, specific `gh` commands with sanitized arguments). Avoid `eval`, `exec`, or direct shell execution of arbitrary plan content. Implement a robust parsing and execution engine that only allows whitelisted operations and arguments.	LLM	SKILL.md:55
HIGH	Broad GitHub CLI permissions requested The skill explicitly requests "escalated permissions (include workflow/repo scopes)" for the `gh` CLI tool. The `workflow` and `repo` scopes grant extensive control over a GitHub repository, including read/write access to code, workflows, and potentially secrets. This level of access is excessive for merely inspecting PR checks and logs, and significantly increases the blast radius if the skill is compromised or misused. Review and narrow down the required `gh` scopes to the absolute minimum necessary for the skill's functionality. For example, if only reading checks and logs is needed, use more restrictive read-only scopes. Avoid `workflow` and `repo` scopes unless absolutely critical and justified.	LLM	SKILL.md:12
HIGH	Unsanitized user input in GitHub CLI commands The skill's workflow describes using user-provided PR numbers/URLs (`<pr>`) and extracted run IDs (`<run_id>`) directly in `gh` CLI commands (e.g., `gh pr checks <pr>`, `gh run view <run_id>`). If these inputs are not properly sanitized before execution, a malicious user could inject arbitrary shell commands, leading to remote code execution. All user-provided inputs or values extracted from untrusted sources must be strictly validated and sanitized before being used in shell commands. When executing external commands in Python, prefer `subprocess.run` with `shell=False` and pass arguments as a list to prevent shell injection.	LLM	SKILL.md:36
MEDIUM	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	cli-tool/components/mcps/devtools/figma-dev-mode.json:4
LOW	Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	cli-tool/components/mcps/devtools/jfrog.json:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/5736e92d5e2b4b68.svg)](https://skillshield.io/report/5736e92d5e2b4b68)