Trust Assessment
codesession received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized CLI Arguments, Unpinned Dependency in Skill Manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Unsanitized CLI Arguments The skill instructs the agent to execute `codesession-cli` commands that accept string arguments such as 'task description', 'completion notes', and 'agent name' (e.g., `cs start "task description"`, `cs end -n "completion notes"`, `cs log-ai ... --agent "Agent Name"`). If an agent directly interpolates user-provided input into these arguments without proper shell escaping or sanitization, a malicious user could inject arbitrary shell commands. For example, a 'task description' like `"foo"; rm -rf /; echo "bar"` could lead to arbitrary code execution if the agent constructs the command string and executes it via a shell. Agents should always sanitize or properly escape any user-provided input before incorporating it into shell commands. When executing external commands, prefer using array-based command execution (e.g., `subprocess.run(['cs', 'start', user_input])` in Python) which avoids shell interpretation, or ensure robust shell escaping for string arguments. | LLM | SKILL.md:40 | |
| MEDIUM | Unpinned Dependency in Skill Manifest The skill's manifest specifies `codesession-cli` as a dependency from npm without pinning a specific version. This means `npm install -g codesession-cli` will always install the latest available version. While convenient, this practice introduces a supply chain risk, as a malicious update to the `codesession-cli` package could be automatically installed, potentially compromising the agent's environment or data. Pin the `codesession-cli` dependency to a specific, known-good version in the skill's manifest (e.g., `"package": "codesession-cli@1.9.4"`). Regularly review and update the pinned version after verifying new releases for security and compatibility. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/4ae2cf4ca6d78220)
Powered by SkillShield