Trust Assessment
coach received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 3 high, 0 medium, and 0 low severity. Key findings include Command Injection via User-Provided Inputs in Shell Commands, Path Traversal Vulnerability in File Naming, Direct Handling of Sensitive API Credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via User-Provided Inputs in Shell Commands The skill instructs the LLM to construct and execute shell commands using `npx claude-coach`. Several arguments to these commands (`--client-id`, `--client-secret`, `--code`, and the SQL `YOUR_QUERY`) are directly derived from user input or LLM-generated content that could be influenced by user input. If a malicious user provides specially crafted input (e.g., including shell metacharacters like `;`, `&`, `|`), it could lead to arbitrary command execution on the host system. For example, `CLIENT_ID="; rm -rf /; #"` could be injected. All user-provided inputs (`CLIENT_ID`, `CLIENT_SECRET`, `FULL_REDIRECT_URL`, `YOUR_QUERY`) must be rigorously sanitized and properly escaped before being inserted into shell commands. Prefer using dedicated APIs or libraries that handle argument escaping automatically instead of raw string concatenation for shell commands. Implement strict input validation for all user-controlled parameters. | LLM | SKILL.md:59 | |
| HIGH | Path Traversal Vulnerability in File Naming The skill instructs the LLM to create JSON files with names like `{event-name}-{date}.json` and then use these filenames in subsequent `npx claude-coach render` commands. If the `event-name` or other components of the filename can be influenced by user input, a malicious user could inject path traversal sequences (e.g., `../../`) to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or exfiltrating data. Strictly sanitize and validate all components used to construct filenames. Disallow path separators (`/`, `\`) and path traversal sequences (`..`). Restrict file creation to a dedicated, isolated, and non-sensitive directory. | LLM | SKILL.md:239 | |
| HIGH | Direct Handling of Sensitive API Credentials The skill explicitly instructs the LLM to ask the user for their Strava Client ID and Client Secret, and then to use these credentials directly in a shell command (`npx claude-coach auth`). Handling raw API keys and secrets in this manner within an LLM context poses a significant risk. If the LLM's memory or the execution environment is compromised, these credentials could be exposed. While the skill's intent is to use them for legitimate authorization, the direct capture and command-line passing of secrets is insecure. Avoid asking users for raw API keys or secrets directly. Implement OAuth flows where the LLM only handles authorization codes or redirect URLs, and the underlying tool (`claude-coach`) is responsible for securely exchanging these for tokens and storing them. If direct input is unavoidable, ensure credentials are immediately stored in a secure, encrypted manner (e.g., a secrets manager) and never exposed in logs or command-line arguments. | LLM | SKILL.md:59 | |
| HIGH | Unpinned Dependency in `npx` Command The skill uses `npx claude-coach` without specifying a version (e.g., `npx claude-coach@1.2.3`). This means `npx` will always fetch and execute the `latest` version of the `claude-coach` package from npm. This introduces a significant supply chain risk, as a malicious actor could publish a compromised version of `claude-coach` to npm, which would then be automatically executed by the agent, leading to arbitrary code execution or data exfiltration. Pin the version of the `claude-coach` package used with `npx` (e.g., `npx claude-coach@1.0.0`). Regularly review and update the pinned version to incorporate security fixes, but only after verifying the integrity of the new version. Consider vendoring critical tools or using private package registries for enhanced control. | LLM | SKILL.md:59 |
Scan History
Embed Code
[](https://skillshield.io/report/8aff316ae16f5284)
Powered by SkillShield