Security Audit

systematic-debugging

github.com/guanyang/antigravity-skills

AI SkillCommit 3e75fabdb24c

TRUSTED

Scanned 5 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

systematic-debugging received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via unquoted variable in shell script.

The analysis covered 4 layers: llm_behavioral_safety, static_code_analysis, manifest_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Command Injection via unquoted variable in shell script The `find-polluter.sh` script directly interpolates the user-provided `TEST_PATTERN` variable into a `find` command without proper quoting. This allows an attacker to inject arbitrary shell commands by crafting a malicious `TEST_PATTERN` value, which will be executed in the context of the script. For example, a `TEST_PATTERN` like `foo"; rm -rf /; echo "` could lead to arbitrary command execution. Always quote variables when using them in shell commands, especially when they originate from user input. For `find`'s `-path` argument, ensure the pattern is properly escaped or validated. A safer approach might involve using `printf %q` or similar mechanisms if the pattern needs to be dynamic, or strictly validating the input. In this specific case, if `TEST_PATTERN` is intended to be a glob pattern, consider using `find . -name "$TEST_PATTERN"` (if it's a simple name) or `find . -regex "$TEST_PATTERN"` with appropriate regex escaping, or using `find`'s `-path` with a more robust quoting mechanism if the shell allows it, or validating the input to prevent metacharacters.	Unknown	find-polluter.sh:25

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/8f1cb008b3ee79ea.svg)](https://skillshield.io/report/8f1cb008b3ee79ea)