Trust Assessment
airtable received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized Input in `curl` Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Unsanitized Input in `curl` Commands The skill provides `bash` examples that construct `curl` commands by directly interpolating variables (`BASE_ID`, `TABLE_NAME`, `RECORD_ID`, `FORMULA`) into the command string. If an AI agent or user populates these variables with untrusted input containing shell metacharacters (e.g., `$(command)`, `;`, `|`, `&`), it could lead to arbitrary command execution on the host system. While the documentation mentions URL encoding for `TABLE_NAME` and `FORMULA`, it does not explicitly warn about shell escaping for all interpolated variables or demonstrate how to safely handle untrusted input in this context. Advise the agent to properly sanitize and shell-escape all variables derived from untrusted input before interpolating them into shell commands. For URL components, ensure both URL encoding and shell escaping are applied. The skill documentation should include explicit warnings and examples of safe input handling, such as using `printf %q` for shell escaping or dedicated URL encoding functions. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/ca686ef4163e92a5)
Powered by SkillShield