Security Audit

openant-ai/openant-skills:skills/comment-on-task

github.com/openant-ai/openant-skills

AI SkillCommit 0ad720024045

TRUSTED

Scanned 26 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

openant-ai/openant-skills:skills/comment-on-task received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Excessive Bash Tool Permissions Allow Command Injection.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 5, 2026 (commit 0ad72002). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Excessive Bash Tool Permissions Allow Command Injection The skill's manifest declares Bash tool permissions with a wildcard (``) at the end of the command patterns: `Bash(npx @openant-ai/cli@latest tasks comments )` and `Bash(npx @openant-ai/cli@latest tasks comment )`. This allows the LLM to append arbitrary arguments to these commands. If user-controlled input (such as `taskId` or `--content` values) is directly interpolated into the command string by the LLM without proper shell escaping, a malicious user could inject shell commands. This could lead to arbitrary code execution on the host system. Restrict Bash tool permissions to specific, well-defined arguments and options instead of using a wildcard (``). For example, define separate permissions for reading comments (`--json`) and adding comments (`--content`, `--json`), explicitly listing all allowed flags and their expected value types. Alternatively, ensure the LLM strictly shell-escapes all user-provided input before constructing and executing Bash commands.	LLM	Manifest

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/5ef7016e44347e68.svg)](https://skillshield.io/report/5ef7016e44347e68)