Trust Assessment
github-kb received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 0 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $GITHUB_TOKEN, Sensitive environment variable access: $GITHUB_KB_PATH, Potential Command Injection via User-Controlled Arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via User-Controlled Arguments The skill describes executing shell commands (`gh search`, `git clone`) where parts of the command are expected to be derived from user input (e.g., `<query>`, `<owner>`, `<name>`). If the AI agent directly interpolates untrusted user input into these shell commands without proper sanitization or escaping, it creates a critical command injection vulnerability. An attacker could inject arbitrary shell commands by crafting malicious input for search queries or repository names, leading to arbitrary code execution within the skill's environment. Implement robust input validation and sanitization for all user-provided arguments before constructing and executing shell commands. When executing external commands, use libraries or APIs that safely handle arguments (e.g., `subprocess.run` with `shell=False` in Python, passing arguments as a list) to prevent shell metacharacters from being interpreted as commands. For `git clone`, validate repository names and paths rigorously. | LLM | SKILL.md:68 | |
| CRITICAL | Potential Command Injection via Git Clone Target Path The skill instructs to clone repositories using `git clone https://github.com/<owner>/<name>.git ${GITHUB_KB_PATH:-/home/node/clawd/github-kb}/<name>`. If the `<name>` component is directly derived from untrusted user input, an attacker could inject shell metacharacters or directory traversal sequences (e.g., `../../evil_dir; rm -rf /`) into the target path. This could lead to arbitrary file system manipulation or command execution outside the intended knowledge base directory. Strictly validate and sanitize the `<name>` component to ensure it only contains safe characters suitable for a directory name. Prevent directory traversal sequences (e.g., `..`, `/`) and shell metacharacters. When constructing the target path, ensure that the final path is canonicalized and validated against an allowed base directory to prevent writing to arbitrary locations. Use safe command execution methods that properly escape arguments. | LLM | SKILL.md:130 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_TOKEN Access to sensitive environment variable '$GITHUB_TOKEN' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jameschan21/github-kb/SKILL.md:35 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_KB_PATH Access to sensitive environment variable '$GITHUB_KB_PATH' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jameschan21/github-kb/SKILL.md:113 |
Scan History
Embed Code
[](https://skillshield.io/report/de960aba4310d209)
Powered by SkillShield