Security Audit

Jamkris/everything-gemini-code:skills/continuous-learning

github.com/Jamkris/everything-gemini-code

AI SkillCommit 6c6f43aaa3d6

CRITICAL

Scanned 8 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

Jamkris/everything-gemini-code:skills/continuous-learning received a trust score of 33/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Unsanitized environment variable used in shell command.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on March 30, 2026 (commit 6c6f43aa). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

63%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Unsanitized environment variable used in shell command The `CLAUDE_TRANSCRIPT_PATH` environment variable is directly interpolated into a `grep` command without proper sanitization or quoting. An attacker who can control this environment variable could inject arbitrary shell commands, leading to remote code execution. Ensure that all external inputs, especially environment variables, are properly sanitized or quoted when used in shell commands. For file paths, consider using `printf %q` to quote the path for shell safety, or use a safer method to read the file content that doesn't involve direct shell interpolation of the path. In this specific case, if the intent is to count lines in a file, ensure `$transcript_path` is strictly a file path and not executable code. A robust solution would be to validate the path string against expected file path patterns or use a language/tool that handles file paths more securely than direct shell interpolation.	Static	evaluate-session.sh:45
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/continuous-learning/evaluate-session.sh:30

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/c75ceb67662cbebf.svg)](https://skillshield.io/report/c75ceb67662cbebf)