Trust Assessment
food-order received a trust score of 71/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Potential Command Injection via User Input, Excessive Permissions: Arbitrary Shell Command Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via User Input The skill defines shell commands that incorporate user-provided inputs (e.g., `<orderCode>`, `<id>`, `--email`). If the agent directly interpolates these inputs into shell commands without proper sanitization (e.g., quoting, escaping), a malicious user could inject arbitrary commands. For example, an `<orderCode>` value like `12345; rm -rf /` could lead to arbitrary code execution on the host system. This is a common vulnerability when exposing shell commands to an LLM agent. The agent implementation must strictly sanitize all user-provided inputs before constructing and executing shell commands. This typically involves quoting arguments and escaping special shell characters. Consider using a dedicated library for command execution that handles sanitization automatically, or explicitly define input validation rules for each parameter. | LLM | SKILL.md:28 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/food-order/SKILL.md:1 | |
| MEDIUM | Excessive Permissions: Arbitrary Shell Command Execution The skill grants the agent the ability to execute arbitrary shell commands via the `ordercli` tool. This provides a broad attack surface, as the agent can potentially run any command available on the host system. While the skill attempts to define 'Hard safety rules', the underlying capability is highly privileged. Additionally, the debug command `ordercli --config /tmp/ordercli.json` implies write access to arbitrary filesystem paths, which could be abused for data tampering or privilege escalation if not properly sandboxed. Implement strict sandboxing for the agent's execution environment, limiting its access to only necessary commands and resources. Restrict filesystem write access to designated, temporary directories. Review the `ordercli` tool's capabilities and ensure only the minimum required subcommands are exposed to the agent. Consider using a allowlist approach for commands and arguments. | LLM | SKILL.md:19 | |
| MEDIUM | Supply Chain Risk: Reliance on Unspecified External Binary The skill relies entirely on an external command-line tool named `ordercli`. The origin, security posture, maintenance, and trustworthiness of this binary are not specified. A compromised or malicious `ordercli` binary, or vulnerabilities within it, could lead to severe security breaches, including data exfiltration, command injection, or system compromise. There is no mechanism described to verify the integrity or authenticity of `ordercli`. Provide clear documentation on how to obtain, verify, and install `ordercli`. Ideally, `ordercli` should be open-source, allowing for security audits. If it's a closed-source binary, ensure it comes from a trusted vendor and its integrity can be verified (e.g., via cryptographic signatures). Consider packaging `ordercli` as a dependency within the skill's environment to ensure version control and reduce external risks. | LLM | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/5f6827453a821914)
Powered by SkillShield