Security Audit
hosted-agents
github.com/muratcankoylan/Agent-Skills-for-Context-EngineeringTrust Assessment
hosted-agents received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via Unsanitized Repository URL, Credential Exposure in Command Line / Process Tree.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on July 1, 2026 (commit 175cee7c). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via Unsanitized Repository URL The `build_image` method in `ImageBuilder` constructs shell commands by directly interpolating the `repo_url` parameter into a `git clone` command string. If `repo_url` is sourced from untrusted user input, an attacker can inject arbitrary shell commands (e.g., using semicolons or backticks) that will execute in the build environment. Avoid executing shell commands via raw string interpolation. Use `subprocess.run` with a list of arguments instead of a shell string, or sanitize and validate the `repo_url` to ensure it matches a strict repository format (e.g., alphanumeric and slashes only) before execution. | LLM | scripts/sandbox_manager.py:178 | |
| MEDIUM | Credential Exposure in Command Line / Process Tree The GitHub access token is interpolated directly into the `git clone` command string. This can expose the sensitive token in process listings (e.g., `ps aux`) or build logs if the command execution is logged. Pass the token securely using environment variables (e.g., `GIT_ASKPASS` or setting the token in the environment of the subprocess) rather than embedding it directly in the command-line arguments. | LLM | scripts/sandbox_manager.py:178 |
Scan History
Embed Code
[](https://skillshield.io/report/deb1ccdb0c6c728e)
Powered by SkillShield