Trust Assessment
branch-namer received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Prompt Injection via User Description, Potential Command Injection from LLM Output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Prompt Injection via User Description The skill directly passes user-provided input (`description`) to the OpenAI LLM without explicit sanitization or robust validation. A malicious user could craft the `description` to inject instructions into the LLM's prompt, potentially overriding the system prompt's instructions (e.g., 'Return ONLY the branch name, nothing else'). This could lead to the LLM generating unintended, misleading, or potentially malicious output, which is then used in a command execution context. Implement robust input validation and sanitization for user-provided `description` before passing it to the LLM. Consider using prompt engineering techniques like 'sandwiching' (placing user input between system instructions and a final instruction to ignore previous instructions) to make prompt injection more difficult. Additionally, ensure the LLM's output is strictly validated against expected branch name patterns before being used in `simple-git` commands. | LLM | src/index.ts:15 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^12.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lxgicstudios/branch-name-gen/package.json | |
| MEDIUM | Potential Command Injection from LLM Output The output from the OpenAI LLM (`branchName`), which is derived from user input, is directly used as an argument to `simpleGit().checkoutLocalBranch()`. While `simple-git` typically uses `spawn` with arguments as an array, which mitigates direct shell command injection, a successful prompt injection could still lead the LLM to generate a string that, if interpreted by `git` in an unexpected way (e.g., as a special argument or a malformed branch name that triggers a vulnerability in `git` itself), could result in unintended command execution or behavior. Relying on LLM output for command arguments without strict, independent validation is a security risk pattern. Strictly validate the LLM's output (`branchName`) against a whitelist of allowed characters and patterns for git branch names before passing it to `simple-git`. This validation should be independent of the LLM's own instructions. For example, use a regular expression to ensure the branch name adheres to git's naming conventions and does not contain any characters that could be interpreted as command separators or special arguments. | LLM | src/index.ts:30 | |
| INFO | User Input Sent to Third-Party LLM The skill sends the user's `description` to the OpenAI API for processing. While this is the core functionality of the skill and is implicitly disclosed by the requirement for an `OPENAI_API_KEY` and the 'How It Works' section, users should be aware that any sensitive information included in their `description` will be transmitted to OpenAI. This is a standard practice for LLM-powered skills but warrants an informational note regarding data privacy. Ensure clear and prominent disclosure to users that their input will be sent to a third-party LLM provider (OpenAI). Advise users against including highly sensitive or confidential information in their descriptions. Consider adding a privacy policy link or a disclaimer in the skill's documentation. | LLM | src/index.ts:15 |
Scan History
Embed Code
[](https://skillshield.io/report/57d77f70d99c2d0e)
Powered by SkillShield