Trust Assessment
github-mentions received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 1 high, 5 medium, and 0 low severity. Key findings include Sensitive environment variable access: $GITHUB_MENTIONS_STATE, Sensitive environment variable access: $HOME, Sensitive environment variable access: $GITHUB_MENTIONS_CONFIG.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content attempts to instruct LLM to execute shell command The `SKILL.md` file, within the untrusted input section, contains a 'Cron Setup' payload that directly instructs the LLM to execute a shell command (`Run: bash ~/.openclaw/workspace/skills/github-mentions/github-mentions.sh check`). This is a direct attempt to manipulate the host LLM's behavior by providing executable instructions within content designated as untrusted, which falls under prompt injection. Remove direct instructions for the LLM from untrusted content. If this is intended to be a skill for an agent, the agent's execution logic should be defined outside of the untrusted skill description, or the skill should expose functions/tools that the agent can call, rather than direct shell commands. | LLM | SKILL.md:163 | |
| HIGH | Direct interpolation of untrusted input into `jq` filter string allows command injection and data exfiltration The `github-mentions.sh` script directly interpolates variables into `jq` filter strings without proper escaping or argument passing mechanisms. This allows for command injection if an attacker can control the content of these variables. Specifically, `set_config` and `update_state` take their `jq` filter as `$1`, which can be controlled by CLI arguments or other means. `get_config`, `get_state`, `is_org_member`, and `cmd_check` also interpolate variables (`$key`, `$org`, `$username`, `$mention_id`) into `jq` filters. A malicious string in these variables could lead to arbitrary `jq` filter execution, allowing an attacker to read sensitive data from `config.json` or `state.json` (e.g., using `input` or `inputs` functions within `jq`), or manipulate their content in unintended ways. Avoid direct string interpolation for `jq` filters. Instead, use `jq`'s `--arg` or `--argjson` options to pass variable values safely, or construct the `jq` filter string carefully with proper escaping if dynamic filters are absolutely necessary. For simple key-value updates, consider using `jq`'s built-in update syntax with `--arg` for the key and value. | LLM | github-mentions.sh:47 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_MENTIONS_STATE Access to sensitive environment variable '$GITHUB_MENTIONS_STATE' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gigi-trifle/github-mentions/github-mentions.sh:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gigi-trifle/github-mentions/github-mentions.sh:7 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_MENTIONS_CONFIG Access to sensitive environment variable '$GITHUB_MENTIONS_CONFIG' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gigi-trifle/github-mentions/github-mentions.sh:9 | |
| MEDIUM | Potential command injection in `date -d` with state file content The `refresh_org_members` function uses `date -d "$last_refresh" +%s`. The `$last_refresh` variable is read directly from the state file (`.orgMembersLastRefresh`). If an attacker could inject a malicious string into this field in the state file (e.g., by exploiting another vulnerability or direct file access), it could lead to arbitrary command execution via `date -d`'s interpretation of the string. Validate or sanitize the `$last_refresh` variable before passing it to `date -d`. Ensure it strictly conforms to an expected date format and does not contain shell metacharacters. Alternatively, use a safer method for date parsing that doesn't involve shell execution of the date string. | LLM | github-mentions.sh:89 | |
| MEDIUM | Skill requires broad `gh` CLI access The skill extensively uses the `gh` CLI, including `gh api`, `gh search issues`, `gh search prs`, and `gh api user/orgs`. This grants the skill broad access to the user's GitHub account, including reading notifications, repository details, organization members, and potentially posting comments/reviews (implied by the cron job description). While necessary for its functionality, this broad access, especially when combined with potential command injection vulnerabilities, increases the attack surface and the impact of a successful exploit. Implement principle of least privilege. If possible, use more granular GitHub API tokens with restricted scopes instead of a full `gh auth login` token. Carefully review all `gh api` calls to ensure they only request necessary data and do not inadvertently expose sensitive information or allow unintended actions. Ensure robust input validation and sanitization for all parameters passed to `gh` commands. | LLM | github-mentions.sh:59 |
Scan History
Embed Code
[](https://skillshield.io/report/b5f18b1e84238363)
Powered by SkillShield