Security Audit

receiving-code-review

github.com/davila7/claude-code-templates

AI SkillCommit 458b11867eae

CAUTION

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

receiving-code-review received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Skill attempts to directly manipulate LLM behavior and output.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

91%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

2 findings

Shell Execution

3 findings

Dynamic Code

3 findings

Excessive Permissions

2 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Skill attempts to directly manipulate LLM behavior and output The skill contains numerous explicit instructions designed to control the LLM's conversational style, decision-making process, and output content. Examples include 'NEVER:', 'INSTEAD:', 'IF any item is unclear: STOP - do not implement anything yet ASK for clarification', 'Push back when:', 'How to push back:', 'When feedback IS correct: ... ❌ ANY gratitude expression', 'If you catch yourself about to write "Thanks": DELETE IT.', and 'Signal if uncomfortable pushing back out loud: "Strange things are afoot at the Circle K"'. The instruction "You're absolutely right!' (explicit CLAUDE.md violation)" indicates an attempt to override or enforce specific behaviors against the LLM's base instructions. This constitutes a direct prompt injection, as the skill's primary function is to manipulate the host LLM's responses. Review and ensure that instructions intended for the LLM's behavior are aligned with security policies and do not inadvertently lead to undesirable outputs or override core safety mechanisms. If the intent is to strictly control output, ensure this control is safe and auditable.	LLM	SKILL.md:20
HIGH	Skill instructs LLM to 'grep codebase', implying potential command execution or data access The skill contains the instruction 'grep codebase for actual usage'. If the LLM has access to a shell environment or direct filesystem access, this phrase could be interpreted as a command to execute `grep`, potentially leading to command injection. Even if not directly executed, it implies the LLM should have knowledge of the codebase's contents, which could lead to data exfiltration if the LLM reports on sensitive information found during this 'grep' operation. Clarify whether the LLM is expected to simulate a `grep` operation or actually execute it. If actual execution is intended, ensure robust sandboxing, strict input validation, and least privilege access are in place. If it's a simulation, rephrase to avoid command-like language (e.g., 'consider if the codebase uses this feature').	LLM	SKILL.md:78
HIGH	Skill provides specific GitHub CLI command, implying potential command execution or API interaction The skill instructs the LLM to 'reply in the comment thread (`gh api repos/{owner}/{repo}/pulls/{pr}/comments/{id}/replies`)'. This is a direct reference to a specific GitHub CLI command, including parameters. If the LLM has access to a shell environment or is integrated with the GitHub CLI, this could be interpreted as an instruction to execute this command, leading to command injection. Furthermore, executing such a command would involve interacting with the GitHub API, potentially leading to data exfiltration or unauthorized actions if not properly controlled. Clarify whether the LLM is expected to simulate or reference this command, or actually execute it. If actual execution is intended, ensure robust sandboxing, strict input validation, and least privilege access to the GitHub API. If it's a reference, rephrase to avoid command-like syntax (e.g., 'reply to the specific inline comment thread on GitHub').	LLM	SKILL.md:169
MEDIUM	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	cli-tool/components/mcps/devtools/figma-dev-mode.json:4
LOW	Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	cli-tool/components/mcps/devtools/jfrog.json:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9b7b44f4900e79a6.svg)](https://skillshield.io/report/9b7b44f4900e79a6)