Trust Assessment
garrytan/gstack:freeze received a trust score of 66/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Dangerous tool allowed: Bash, Sensitive environment variable access: $HOME, Potential Command Injection in directory resolution due to LLM's handling of user input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on April 29, 2026 (commit e8893a18). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | freeze/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | freeze/SKILL.md:32 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | freeze/bin/check-freeze.sh:11 | |
| MEDIUM | Potential Command Injection in directory resolution due to LLM's handling of user input The `SKILL.md` instructs the LLM to resolve a user-provided directory path to an absolute path using a `bash` command: `FREEZE_DIR=$(cd "<user-provided-path>" 2>/dev/null && pwd)`. While the instruction explicitly includes double quotes around `<user-provided-path>`, relying on the LLM to faithfully preserve these quotes when substituting arbitrary user input is a known vulnerability pattern. If the LLM fails to quote the user's input, a malicious user could provide a path containing shell metacharacters (e.g., `.; rm -rf /`) which would be executed as `cd .; rm -rf / 2>/dev/null && pwd`, leading to arbitrary command execution. This compromises the integrity of the `FREEZE_DIR` which is then used by the `check-freeze.sh` script. To prevent command injection, avoid relying on the LLM to correctly quote or escape user-provided input for shell commands. Instead, consider using a dedicated Python script or a more robust method for path resolution that explicitly handles user input as a string argument, preventing shell injection. For example, a Python script using `os.path.abspath` or `pathlib.Path.Path.resolve()` would be safer. If `bash` must be used, ensure the LLM is explicitly instructed to escape the user input using a function like `printf %q` before passing it to `cd`. | LLM | SKILL.md:25 |
Scan History
Embed Code
[](https://skillshield.io/report/da93c2021683d713)
Powered by SkillShield