Trust Assessment
bvg-route received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unencoded API parameter in shell script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unencoded API parameter in shell script The `when` parameter (representing arrival/departure time) is directly concatenated into the API URL query string without being URL-encoded. This allows an attacker to inject arbitrary query parameters or malform the API request by providing a specially crafted `when` value, potentially leading to unintended API calls, data retrieval, or denial of service. The `SKILL.md` explicitly states that all query parameters must be URL-encoded, but this is not applied to the `when` variable. Apply URL encoding to the `$when` variable before including it in the URL query string, similar to how `$from_raw` and `$to_raw` are handled. For example, add `when_enc=$(urlencode "$when")` and then use `${when_enc}` in the URL construction. | LLM | scripts/journeys.sh:18 |
Scan History
Embed Code
[](https://skillshield.io/report/3f861241018e594f)
Powered by SkillShield