Security Audit

dceoy/speckit-agent-skills:skills/speckit-baseline

github.com/dceoy/speckit-agent-skills

AI SkillCommit c21d8d2defd2

CAUTION

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

dceoy/speckit-agent-skills:skills/speckit-baseline received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unsafe Execution of Repository-Local Scripts, Shell Argument Injection via Dynamic Input, Potential Prompt Injection from Source Code.

The analysis covered 4 layers: llm_behavioral_safety, manifest_analysis, static_code_analysis, dependency_graph. The llm_behavioral_safety layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on February 8, 2026 (commit c21d8d2d). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

63%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

3 findings

Dynamic Code

2 findings

Security Findings3

Severity	Finding	Layer	Location
HIGH	Unsafe Execution of Repository-Local Scripts The skill instructs the agent to execute a shell script (`.specify/scripts/bash/create-new-feature.sh`) found within the target repository. If the repository is untrusted or has been compromised (e.g., via a malicious PR), executing code directly from the repository allows for arbitrary code execution on the host machine. Do not execute scripts found in the analyzed repository. Use the agent's native file system tools to perform the necessary setup (creating directories/files) or use a trusted, pre-installed binary.	Unknown	SKILL.md:38
HIGH	Shell Argument Injection via Dynamic Input The skill instructs the agent to pass a "short name" derived from code analysis as an argument to a shell command. While the prompt suggests escaping quotes, it does not enforce strict validation (allowlisting) of the input. Maliciously crafted source code or filenames could result in a "short name" containing shell metacharacters, leading to command injection. Explicitly instruct the agent to sanitize the "short name" to a strict character set (e.g., alphanumeric only) before using it in a shell command, or use a safe API that avoids shell interpretation.	Unknown	SKILL.md:38
MEDIUM	Potential Prompt Injection from Source Code The skill instructs the agent to "Read file contents for analysis" without explicit instructions to treat the content as purely data or to ignore embedded instructions. Malicious source code could contain prompt injection payloads that override the agent's behavior, potentially leveraging the agent's shell capabilities defined in other steps. Wrap file contents in XML tags or similar delimiters when presenting them to the context, and explicitly instruct the model to treat the content between tags as data only, ignoring any instructions within.	Unknown	SKILL.md:29

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9303f5919976465d.svg)](https://skillshield.io/report/9303f5919976465d)