Trust Assessment
botrights received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized URL Path Parameters.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Unsanitized URL Path Parameters The skill provides `curl` command examples that include dynamic placeholders in the URL path (e.g., `{id}`, `{proposalId}`). If the AI agent constructs and executes these `curl` commands by directly substituting user-provided or agent-generated values into these placeholders without proper shell escaping or URL encoding, it creates a command injection vulnerability. An attacker could craft a malicious ID (e.g., `123; rm -rf /`) which, when interpolated into the `curl` command, would execute arbitrary shell commands on the host system. Instruct the AI agent to always sanitize and properly shell-escape or URL-encode any dynamic input (especially user-controlled data) before incorporating it into shell commands or URL paths. Prefer using a programmatic HTTP client library that handles encoding automatically over raw shell commands for constructing requests. | LLM | skill.md:209 |
Scan History
Embed Code
[](https://skillshield.io/report/dc70cb1d724edba4)
Powered by SkillShield