Trust Assessment
auto-pr-merger received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 3 critical, 3 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Hidden network beacons / undisclosed telemetry, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/auto-pr-merger/index.js:3 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/auto-pr-merger/index.js:23 | |
| CRITICAL | Arbitrary command execution via user-provided test command The skill directly executes the user-provided `--test` argument (`testCommand`) using `child_process.execSync` without proper sanitization. An attacker can inject arbitrary shell commands (e.g., `--test "npm test; rm -rf /"`), leading to full system compromise on the host machine. Sanitize or escape the `testCommand` before execution. A safer approach is to use `child_process.spawn` and pass arguments as an array, preventing shell interpretation. Alternatively, restrict allowed test commands to a predefined set. | LLM | index.js:40 | |
| HIGH | Hidden network beacons / undisclosed telemetry DNS query with variable subdomain (DNS exfiltration) Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/autogame-17/auto-pr-merger/index.js:192 | |
| HIGH | Potential command injection via PR number/URL argument The `pr` argument, which is user-controlled, is directly interpolated into shell commands like `gh pr checkout ${prNumber} --force` and `gh pr view ${prNumber}`. If `prNumber` contains shell metacharacters (e.g., `123; malicious_command`), it could lead to command injection. While the `gh` CLI might offer some sanitization, relying solely on it is risky. Validate and sanitize the `pr` argument to ensure it only contains expected characters (e.g., digits for PR number, valid URL characters). Consider using `child_process.spawn` with arguments passed as an array to prevent shell interpretation. | LLM | index.js:100 | |
| HIGH | Sensitive code and test output sent to external LLM The `callLLM` function constructs a prompt that includes `fileContent` (read from local files) and `testOutput` (from executed tests). This prompt is then sent to the Google Gemini API. This means potentially proprietary code, sensitive data within files, or confidential test results are transmitted to a third-party service, posing a significant data exfiltration risk. Implement strict data governance policies. Redact or filter sensitive information from file contents and test outputs before sending them to external LLMs. Clearly inform users about data sharing practices and consider using on-premise or private LLMs for highly sensitive data. | LLM | index.js:200 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/autogame-17/auto-pr-merger/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'minimist' is not pinned to an exact version ('^1.2.8'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/autogame-17/auto-pr-merger/package.json | |
| MEDIUM | Broad search for `GEMINI_API_KEY` in `.env` files The `callLLM` function attempts to load `GEMINI_API_KEY` from `.env` files in the current working directory, its parent, and three levels up from the script's location. This broad search path (`process.cwd()/.env`, `process.cwd()/../.env`, `__dirname/../../.. /.env`) could inadvertently discover and use API keys from other projects or environments if the skill is executed in an unexpected directory, leading to unintended credential exposure or usage. Restrict the search for `.env` files to a more specific and controlled location (e.g., only the skill's own directory or a clearly defined project root). Prioritize environment variables over file-based secrets to ensure explicit configuration. | LLM | index.js:50 | |
| LOW | Skill requires broad system and filesystem access The skill utilizes `child_process.execSync` for arbitrary command execution and the `fs` module for file system operations. While these permissions are inherent to its functionality (checking out PRs, running tests, modifying files), they grant the skill extensive control over the host system. This broad access, especially when combined with command injection vulnerabilities, significantly increases the potential impact of an exploit. Implement the principle of least privilege. Where possible, use more granular APIs instead of shell execution. Isolate skill execution in sandboxed environments or containers to limit potential damage. Carefully review all commands executed to ensure they are strictly necessary and properly sanitized. | LLM | index.js:1 |
Scan History
Embed Code
[](https://skillshield.io/report/8b117ac082c8d480)
Powered by SkillShield