Trust Assessment
audit-code received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Command Injection / Path Traversal via User-Controlled Skill Name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection / Path Traversal via User-Controlled Skill Name The `SKILL_NAME` variable, derived directly from user input via the `--skill-name` argument, is used to construct a destination path (`dest="$root/$SKILL_NAME"`) without proper sanitization for path separators or traversal sequences (e.g., `../`). This allows an attacker to specify a skill name like `../../.ssh` or `foo/bar`.
This malicious input is then used in critical shell commands:
1. `rm -rf "$dest"`: An attacker could delete arbitrary directories or files within the user's home directory (e.g., `rm -rf $HOME/.ssh`).
2. `ln -s "$SOURCE_DIR" "$dest"`: An attacker could create a symlink from `$SOURCE_DIR` to an arbitrary location (e.g., `$HOME/.ssh`), potentially replacing critical user directories with a symlink to the skill's source.
3. `mkdir -p "$dest"`: An attacker could create arbitrary directory structures.
4. `rsync -a --delete "$SOURCE_DIR/" "$dest/"`: An attacker could copy the entire skill content into an arbitrary directory (e.g., `$HOME/.ssh`), potentially overwriting or introducing malicious content into sensitive configuration files (like `authorized_keys`).
The `agent_root` function correctly restricts the base path to known agent skill directories within `$HOME`, but the lack of sanitization for `SKILL_NAME` allows traversal *outside* these specific skill directories within the user's home directory. Sanitize the `SKILL_NAME` variable to prevent path traversal. Ensure it only contains valid, safe directory name characters and does not contain path separators (`/`) or traversal sequences (`..`). A robust solution would be to use `basename` on the input or validate it against a strict regex (e.g., `^[a-zA-Z0-9_-]+$`) before using it to construct paths. For example, `SKILL_NAME=$(basename "$SKILL_NAME")` could be used, though a more restrictive regex is preferred to prevent other special characters. | LLM | scripts/sync-to-agents.sh:86 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/swader/agent-skills-audit/scripts/sync-to-agents.sh:41 |
Scan History
Embed Code
[](https://skillshield.io/report/4ea12c9918bea548)
Powered by SkillShield