Trust Assessment
gong received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 0 medium, and 1 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Improper Input Sanitization leading to JSON Injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on July 1, 2026 (commit a4d31ad1). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/gong/SKILL.md:24 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/gong/scripts/gong.sh:16 | |
| LOW | Improper Input Sanitization leading to JSON Injection The helper script `scripts/gong.sh` constructs JSON payloads by directly interpolating command-line arguments (such as `<call_id>`) into a JSON string. If an attacker can control the arguments passed to the script (e.g., via prompt injection or untrusted data sources processed by the LLM), they can inject arbitrary JSON fields into the API request payload. While the impact is limited by the read-only nature of the endpoints, it can lead to unexpected API behavior or parameter pollution. Use `jq` to safely construct the JSON payload instead of string interpolation. For example: `payload=$(jq -n --arg id "$1" '{filter: {callIds: [$id]}, contentSelector: {exposedFields: {content: true, parties: true}}}')` and then pass `-d "$payload"` to the API call. | LLM | scripts/gong.sh:38 |
Scan History
Embed Code
[](https://skillshield.io/report/6517443ed8753ff4)
Powered by SkillShield