Security Audit

systematic-debugging

github.com/guanyang/antigravity-skills

AI SkillCommit 3e75fabdb24c

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

systematic-debugging received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via unquoted variable in shell script.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Command Injection via unquoted variable in shell script The `find-polluter.sh` script directly interpolates the user-provided `TEST_PATTERN` variable into a `find` command without proper quoting. This allows an attacker to inject arbitrary shell commands by crafting a malicious `TEST_PATTERN` value, which will be executed in the context of the script. For example, a `TEST_PATTERN` like `foo"; rm -rf /; echo "` could lead to arbitrary command execution. Always quote variables when using them in shell commands, especially when they originate from user input. For `find`'s `-path` argument, ensure the pattern is properly escaped or validated. A safer approach might involve using `printf %q` or similar mechanisms if the pattern needs to be dynamic, or strictly validating the input. In this specific case, if `TEST_PATTERN` is intended to be a glob pattern, consider using `find . -name "$TEST_PATTERN"` (if it's a simple name) or `find . -regex "$TEST_PATTERN"` with appropriate regex escaping, or using `find`'s `-path` with a more robust quoting mechanism if the shell allows it, or validating the input to prevent metacharacters.	Static	find-polluter.sh:25

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/8f1cb008b3ee79ea.svg)](https://skillshield.io/report/8f1cb008b3ee79ea)