Trust Assessment
mgrep-code-search received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via User Input in `mgrep` Arguments, Capability for Sensitive Data Exfiltration, Unpinned Dependency in `bunx` Command.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The llm_behavioral_safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 326f2466). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via User Input in `mgrep` Arguments The skill instructs the host LLM to execute `bunx @mixedbread/mgrep` with user-provided natural language queries and optional paths. If the LLM directly inserts unsanitized user input into these command-line arguments, an attacker could inject shell metacharacters (e.g., `;`, `|`, `&&`, `$()`) to execute arbitrary commands on the underlying system. For example, a malicious query like `"find secrets; rm -rf /"` could lead to data loss or system compromise. The host LLM must strictly sanitize and escape all user-provided input before constructing and executing shell commands. Specifically, shell metacharacters in the query string and path arguments should be properly quoted or escaped. Consider using a dedicated library for command argument construction that handles escaping automatically. | Unknown | SKILL.md:38 | |
| HIGH | Capability for Sensitive Data Exfiltration The `mgrep-code-search` skill is designed to search and retrieve content from the local codebase. Options like `-c, --content` (display full result content) and `-a, --answer` (generate AI-powered synthesis of results) explicitly enable the skill to return potentially sensitive code snippets, configuration files, or other proprietary information found in the repository. While this is the intended functionality of a code search tool, it poses a high risk of data exfiltration if the host LLM is prompted to search for and return sensitive data, which could then be exposed to unauthorized users or external systems. Implement strict access controls and data handling policies for the host LLM. Ensure that sensitive data retrieved by this skill is not logged, stored, or transmitted insecurely. The host LLM should be instructed to redact or filter sensitive information before presenting results to users, especially when using the `-c` or `-a` options. Consider limiting the scope of searches or the types of files that can be returned. | Unknown | SKILL.md:47 | |
| HIGH | Unpinned Dependency in `bunx` Command The skill instructs the host LLM to use `bunx @mixedbread/mgrep` without specifying a version. This means `bunx` will always fetch the latest available version of the `@mixedbread/mgrep` package. This introduces a significant supply chain risk, as a malicious actor could publish a compromised version of the package, or an unintentional breaking change could be introduced, leading to unexpected behavior, vulnerabilities, or arbitrary code execution on the system running the skill. Pin the dependency to a specific, known-good version (e.g., `bunx @mixedbread/mgrep@1.2.3`). Regularly review and update the pinned version to incorporate security patches and new features, but only after thorough vetting. Implement package integrity checks (e.g., using lock files or checksums) to ensure the fetched package has not been tampered with. | Unknown | SKILL.md:32 |
Scan History
Embed Code
[](https://skillshield.io/report/877ab0232ae336ad)
Powered by SkillShield