Trust Assessment
gitai-automation received a trust score of 77/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Potential Command Injection via `gitai` arguments, Broad `Write File` permission without clear justification, Potential exposure of `gitai` API key via `Read File`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `gitai` arguments The skill allows the agent to execute the `gitai` CLI tool using `Run Command` permission. The `projectPath` and `baseMessage` arguments to `gitai` are designed to accept user-controlled input. If the agent constructs the command string by directly concatenating untrusted user input for these arguments without proper sanitization (e.g., escaping shell metacharacters), it could lead to arbitrary command execution on the host system. This is a direct and high-impact vulnerability given the `Run Command` capability. The agent must strictly sanitize or escape any user-provided input for `projectPath` and `baseMessage` before passing them to the `gitai` command. The safest approach is to use a command execution method that passes arguments as a list (e.g., `subprocess.run(['gitai', project_path, base_message])` in Python) rather than constructing a single shell string. | LLM | SKILL.md:50 | |
| MEDIUM | Broad `Write File` permission without clear justification The skill requests `Run Command`, `Read File`, and `Write File` permissions. While `Run Command` is essential for executing `gitai` and `Read File` is likely needed for `gitai` to analyze code, the `Write File` permission is not explicitly justified by the skill's description. This broad permission, combined with the ability to specify any `projectPath` for `gitai`, could allow the agent to write to arbitrary locations on the filesystem, potentially leading to data corruption or unauthorized file modification. Re-evaluate if `Write File` permission is strictly necessary for the skill's intended functionality. If not, remove it to reduce the attack surface. If it is required, provide clear documentation on why it's needed and how its scope is limited (e.g., only writing to temporary directories or within the project scope). | LLM | SKILL.md:1 | |
| MEDIUM | Potential exposure of `gitai` API key via `Read File` The skill's troubleshooting section explicitly mentions that the `~/.gitai` configuration file contains an `API_KEY`. With the granted `Read File` permission, the agent could potentially read the contents of this sensitive file. If an attacker could craft a prompt to induce the agent to read and output this file, it would lead to credential harvesting and data exfiltration. Although the skill does not explicitly instruct the agent to read this file, the capability exists due to the broad `Read File` permission. The agent's implementation should include explicit safeguards to prevent reading or exposing sensitive configuration files like `~/.gitai`. If the agent needs to interact with `gitai`'s configuration, it should do so through `gitai`'s own secure mechanisms (if available), not by directly reading the file. Consider restricting `Read File` access to only necessary project directories. | LLM | SKILL.md:79 |
Scan History
Embed Code
[](https://skillshield.io/report/57fbe2d2979fa1f9)
Powered by SkillShield