Trust Assessment
datadog received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Unsafe interpolation of environment variables in shell commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsafe interpolation of environment variables in shell commands The skill demonstrates `curl` commands that directly interpolate environment variables (`$DD_SITE`, `$DD_API_KEY`, `$DD_APP_KEY`) into the command string without proper shell escaping or quoting. If an attacker can control the values of these environment variables (e.g., through prompt injection or a compromised environment), they can inject arbitrary shell commands, leading to remote code execution. Ensure all environment variables interpolated into shell commands are properly shell-escaped. For URL components and HTTP headers, ensure they are also URL-encoded and header-encoded respectively. Prefer using dedicated HTTP client libraries in a programming language that handle parameterization and encoding safely, rather than constructing shell commands via string interpolation. If `curl` must be used, consider using `printf %q` for shell arguments or ensuring the variables are sanitized before use. | LLM | SKILL.md:14 |
Scan History
Embed Code
[](https://skillshield.io/report/fdff54221795b851)
Powered by SkillShield