Security Audit
ferminrp/agent-skills:skills/dub-links-api
github.com/ferminrp/agent-skillsTrust Assessment
ferminrp/agent-skills:skills/dub-links-api received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via `curl` examples.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 24, 2026 (commit 84b0da63). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `curl` examples The skill's documentation provides `curl` command examples that involve interpolating dynamic values (e.g., URLs, link IDs, domains, keys) into shell commands. If the agent constructs these commands by directly concatenating untrusted user input without proper sanitization or shell escaping, it could lead to command injection. A malicious user could inject arbitrary shell commands by crafting specific input values that break out of the intended data fields. The agent should avoid direct shell command execution with user-controlled input. Instead, use a robust HTTP client library (e.g., `requests` in Python, `node-fetch` in Node.js) that handles parameter serialization and request construction safely, preventing shell injection. If shell execution is unavoidable, all user-provided inputs must be rigorously sanitized and shell-escaped before being incorporated into the command string. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/6aa3c5f1ad790706)
Powered by SkillShield