Trust Assessment
github-chat-ops received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $GITHUB_TOKEN, Potential Command Injection via Token Handling, Credential Harvesting Risk via Direct PAT Request.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via Token Handling The skill's instructions recommend handling user-provided Personal Access Tokens (PATs) by directly embedding them into a shell `export` command: `export GITHUB_TOKEN="<token-from-chat>"`. If the `<token-from-chat>` input is not rigorously sanitized or escaped before being interpolated into this command, a malicious user could inject arbitrary shell commands, leading to severe system compromise. Avoid direct interpolation of untrusted user input into shell commands. Utilize secure environment variable management functions provided by the runtime (e.g., `os.environ` in Python) or ensure comprehensive escaping of all shell metacharacters if shell execution is strictly necessary. | LLM | SKILL.md:30 | |
| HIGH | Credential Harvesting Risk via Direct PAT Request The skill explicitly instructs to request a Personal Access Token (PAT) from the user via chat. While it advises temporary handling and discarding, the act of requesting and receiving such a highly sensitive credential makes the skill a prime target for credential harvesting if its internal handling mechanisms are flawed. The potential command injection vulnerability identified (SS-LLM-003) directly contributes to this risk, as it could allow an attacker to extract the PAT. Minimize the scope and lifetime of requested tokens. Explore alternative, more secure authentication methods like GitHub Apps with fine-grained permissions, which do not require users to share PATs directly. If PATs are unavoidable, implement robust, secure credential management practices, including strict input validation and avoiding direct shell interpolation. | LLM | SKILL.md:25 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_TOKEN Access to sensitive environment variable '$GITHUB_TOKEN' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/iamkalio/github-chat-ops/SKILL.md:22 | |
| MEDIUM | Sensitive Data Stored in Temporary Files The skill's instructions suggest recording raw JSON responses (e.g., to `/tmp/commits.json`) and caching read data (e.g., under `/tmp/github-chat-ops/<repo>/...`). This means potentially sensitive repository information (commits, issues, file contents) will be written to the filesystem. Although `/tmp` is temporary, if the skill's environment is compromised or if other processes have access to `/tmp`, this data could be exfiltrated. The instructions do not specify secure permissions or guaranteed immediate deletion. Avoid writing sensitive data to disk where possible. If temporary storage is essential, use secure temporary file mechanisms provided by the operating system or runtime that ensure strict permissions and automatic, reliable deletion. Consider encrypting sensitive data even for temporary storage. | LLM | SKILL.md:47 |
Scan History
Embed Code
[](https://skillshield.io/report/50814d716cb656fd)
Powered by SkillShield