Trust Assessment
gousto received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via unsanitized user input in recipe slug.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via unsanitized user input in recipe slug The 'recipe.sh' script takes a recipe slug as its first argument ($1) and directly interpolates it into an API URL without any sanitization or validation. If the user-provided slug contains shell metacharacters or command substitutions (e.g., `$(command)` or `` `command` ``), these commands will be executed by the shell before the `curl` command is invoked, leading to arbitrary command execution. Sanitize the `slug` variable to ensure it only contains allowed characters (e.g., alphanumeric, hyphens) or escape shell metacharacters before it is used in the `API_URL`. A robust solution would be to validate the input against a strict regex pattern (e.g., `^[a-zA-Z0-9-]+$`) or use `printf %q` for shell-safe quoting if more complex characters are expected. | LLM | scripts/recipe.sh:14 |
Scan History
Embed Code
[](https://skillshield.io/report/4d33cca119730aa2)
Powered by SkillShield