Security Audit
openant-ai/openant-skills:skills/leave-task
github.com/openant-ai/openant-skillsTrust Assessment
openant-ai/openant-skills:skills/leave-task received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized User Input, Unpinned Dependency in Bash Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on March 5, 2026 (commit 0ad72002). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via Unsanitized User Input The skill's declared permissions for Bash commands use a wildcard (`*`) at the end of specific commands (e.g., `npx @openant-ai/cli@latest tasks unassign *`). The skill's instructions show commands like `npx @openant-ai/cli@latest tasks unassign <taskId> --json` where `<taskId>` is expected to be provided by the user or derived from user input. If the LLM directly substitutes user-provided input for `<taskId>` without proper sanitization, a malicious user could inject arbitrary shell commands (e.g., `123; rm -rf /`) which would be executed due to the broad `*` permission. Restrict Bash permissions to explicitly allow only expected arguments or use a more granular permission system that validates arguments. If wildcards are necessary, ensure the LLM is explicitly instructed and capable of sanitizing all user-provided inputs before constructing shell commands. For example, restrict the wildcard to specific argument patterns or use a tool that handles argument parsing securely. | Static | SKILL.md:39 | |
| HIGH | Unpinned Dependency in Bash Commands The skill uses `npx @openant-ai/cli@latest` in its Bash commands. Relying on the `@latest` tag for a package means that the specific version is not pinned. This introduces a supply chain risk, as a malicious update to the `@openant-ai/cli` package by its maintainers or a compromised registry could lead to the execution of arbitrary malicious code when the skill is invoked. Pin the version of the `@openant-ai/cli` package used in all Bash commands (e.g., `npx @openant-ai/cli@1.2.3`). Regularly review and update the pinned version to incorporate security fixes, but only after verifying the integrity of the new version. | Static | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/eb584d81c0102c4f)
Powered by SkillShield