Security Audit
dceoy/speckit-agent-skills:skills/speckit-taskstoissues
github.com/dceoy/speckit-agent-skillsTrust Assessment
dceoy/speckit-agent-skills:skills/speckit-taskstoissues received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Insecure Shell Command Construction via LLM.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 8, 2026 (commit c21d8d2d). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Insecure Shell Command Construction via LLM The skill instructs the LLM to manually handle shell escaping for arguments passed to `.specify/scripts/bash/check-prerequisites.sh`. Relying on the LLM to correctly sanitize shell arguments (specifically handling single quotes) is error-prone. If the LLM fails to escape characters correctly, or if the directory paths or arguments contain malicious shell metacharacters (e.g., command substitutions), this can lead to Command Injection. Avoid instructing the LLM to construct raw shell command strings. Use a tool execution interface that accepts arguments as a list (argv) to bypass shell interpretation, or strictly validate and sanitize inputs before execution. | Unknown | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/267941b1a6563d1a)
Powered by SkillShield