Trust Assessment
finishing-a-development-branch received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection in Git Branch Operations, Potential Command Injection in GitHub PR Title, Potential Command Injection in Git Worktree Path.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. The llm_behavioral_safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit a98c5dfc). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection in Git Branch Operations The skill defines several `git` commands that use placeholders like `<base-branch>` and `<feature-branch>`. If the LLM populates these placeholders directly from untrusted user input without proper sanitization or validation, an attacker could inject arbitrary shell commands. For example, if `<feature-branch>` is `my-feature; rm -rf /`, the `rm -rf /` command would be executed on the host system. The LLM should strictly validate and sanitize all branch names (`<base-branch>`, `<feature-branch>`) before incorporating them into shell commands. This includes checking for valid Git reference characters and preventing the injection of shell metacharacters (e.g., `;`, `&`, `|`, `$`, `(`, `)`). | Unknown | SKILL.md:59 | |
| CRITICAL | Potential Command Injection in Git Worktree Path The `git worktree remove <worktree-path>` command uses a `<worktree-path>` placeholder. If this path is derived from untrusted user input or an attacker can influence its value, it could lead to command injection. For example, if `<worktree-path>` is `my-worktree; malicious_command`, the malicious command would be executed on the host system. The LLM should strictly validate and sanitize the `<worktree-path>` placeholder, ensuring it represents a valid and safe file system path and does not contain any shell metacharacters. | Unknown | SKILL.md:102 | |
| HIGH | Potential Command Injection in GitHub PR Title The `gh pr create` command uses a `<title>` placeholder. If this title is derived from untrusted user input and not properly escaped for the shell, it could lead to command injection. While the `gh` CLI might handle some escaping internally, relying on this without explicit sanitization by the LLM is risky. An attacker could craft a title that breaks out of the `--title` argument and executes arbitrary commands. The LLM should sanitize the `<title>` placeholder to escape any shell metacharacters before passing it to the `gh pr create` command. This ensures that the title is treated purely as a string argument. | Unknown | SKILL.md:73 | |
| HIGH | Potential Command Injection in Generic Test Command The skill specifies running a generic test command (`<test command>`) in Step 1 and Option 1. If the LLM constructs this command based on user input or an attacker can influence the 'project's test suite' definition, it could lead to command injection. This could allow arbitrary code execution during the test verification phase. The LLM should use a predefined, safe test command for the project, or if it must be dynamic, it should strictly validate and sanitize any user-provided components of the test command to prevent shell injection. | Unknown | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/dee1baf5bd1d2086)
Powered by SkillShield