Security Audit
giil
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
giil received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Insecure installation method via `curl | bash`.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Insecure installation method via `curl | bash` The recommended installation method for the `giil` tool involves piping the content of a remote shell script directly to `bash`. This practice is highly insecure as it executes arbitrary code from an external source (GitHub in this case) without prior review or verification. This makes the system vulnerable to supply chain attacks if the remote script is compromised or malicious. Although an optional `GIIL_VERIFY` environment variable is mentioned for checksum verification, it is not enabled by default, leaving users exposed. Avoid piping remote scripts directly to a shell. Instead, recommend downloading the script, reviewing its contents, and then executing it locally. Implement robust checksum verification by default, or provide a package manager-based installation method. | Unknown | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/33a9b5f42f834a71)
Powered by SkillShield