Trust Assessment
sre-engineer received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Prometheus Query Injection via untrusted service name, Kubectl argument manipulation via untrusted input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit e8be415b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Prometheus Query Injection via untrusted service name The Python script `toil-automation-script.py` constructs a Prometheus query string using an f-string where the `service` variable (taken from `sys.argv[1]`) is directly embedded. Although `urllib.request.quote` is used on the *entire* query string before it's sent, this does not prevent injection of Prometheus Query Language (PromQL) within the `service` parameter itself. An attacker controlling `sys.argv[1]` could inject malicious PromQL to exfiltrate sensitive metrics, perform resource-intensive queries leading to Denial of Service on the Prometheus server, or otherwise manipulate the query's intent. Sanitize or validate the `service` input string to ensure it only contains expected characters (e.g., alphanumeric, hyphens, underscores) and does not contain PromQL operators or string delimiters. Alternatively, use a client library that properly escapes or parameterizes query components. | Static | SKILL.md:107 | |
| MEDIUM | Kubectl argument manipulation via untrusted input The Python script `toil-automation-script.py` executes `kubectl rollout restart` using `subprocess.run` with a list of arguments. The `deployment` and `namespace` values are taken directly from `sys.argv[2]` and `sys.argv[3]`. While using a list prevents shell injection, an attacker controlling these arguments could potentially pass valid `kubectl` flags or arguments that alter the intended behavior of the command. For example, specifying a different deployment name, or potentially using flags like `--all` (if `kubectl` interprets it in this context) or label selectors (`-l`) to affect a broader set of resources than intended. This could lead to unintended service disruptions or restarts. Validate and sanitize `namespace` and `deployment` inputs to ensure they conform to expected naming conventions (e.g., Kubernetes object naming rules) and do not contain special characters or `kubectl` flags. Ensure that the agent's `kubectl` permissions are as narrowly scoped as possible (e.g., only to specific namespaces or resource types). | Static | SKILL.md:117 |
Scan History
Embed Code
[](https://skillshield.io/report/7201106f794132e0)
Powered by SkillShield