Trust Assessment
commit-analyzer received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Command Injection via Unsanitized User Input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Unsanitized User Input The `analyzer.sh` script directly interpolates user-controlled input (`$PARAM`) into `git log --since="$days days ago"` commands without proper sanitization or validation. This allows an attacker to inject arbitrary shell commands by providing a specially crafted string for `$PARAM` (e.g., `1; rm -rf /`), leading to arbitrary code execution on the host system. Validate and sanitize the `$PARAM` variable to ensure it contains only expected numeric values before using it in shell commands. For example, use a regular expression to check if the input is an integer, or cast it to an integer type if the shell supports it. A robust solution would be to explicitly check `if [[ $PARAM =~ ^[0-9]+$ ]]; then ... else handle_error; fi`. | LLM | analyzer.sh:50 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/bobrenze-bot/commit-analyzer/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/6ef25953c0184f0e)
Powered by SkillShield