Security Audit

dceoy/speckit-agent-skills:skills/speckit-plan

github.com/dceoy/speckit-agent-skills

AI SkillCommit a934d48ecf66

TRUSTED

Scanned 6 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

dceoy/speckit-agent-skills:skills/speckit-plan received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Direct execution of untrusted shell scripts, Dynamic file paths derived from untrusted script output.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on April 1, 2026 (commit a934d48e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

2 findings

Dynamic Code

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Direct execution of untrusted shell scripts The skill explicitly instructs the LLM to execute shell scripts (`setup-plan.sh` and `update-agent-context.sh`) located within the untrusted repository content. An attacker could modify these scripts to execute arbitrary commands on the host system, leading to full system compromise. The arguments passed to `update-agent-context.sh` (`<agent_type>`) also present a potential injection vector if not properly sanitized by the LLM. Avoid direct execution of shell scripts from untrusted repositories. If shell execution is absolutely necessary, implement a strict allowlist for commands and arguments, execute within a highly sandboxed environment (e.g., containerized, minimal permissions), and ensure all inputs are thoroughly sanitized. Consider using a safer, language-native alternative for the script's functionality.	LLM	SKILL.md:20
MEDIUM	Dynamic file paths derived from untrusted script output The skill reads files using `FEATURE_SPEC`, which is parsed from the output of `setup-plan.sh`. If `setup-plan.sh` is compromised (as identified in the command injection finding) or if its output can be manipulated, `FEATURE_SPEC` could be set to an arbitrary path, allowing the LLM to read sensitive files outside the intended `specs/` directory (data exfiltration). Similarly, the output paths like `specs/<feature>/plan.md` depend on the `<feature>` variable. If `<feature>` can be manipulated (e.g., via path traversal sequences like `../`), it could lead to writing files to arbitrary locations, potentially overwriting system files or creating malicious content. Implement strict validation and sanitization for all file paths and names derived from untrusted sources or script outputs. Ensure that file operations are confined to a designated, isolated working directory and that path traversal sequences (`../`) are explicitly disallowed or resolved securely.	LLM	SKILL.md:24

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/766f563556ed18ab.svg)](https://skillshield.io/report/766f563556ed18ab)