Trust Assessment
homebrew received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Arbitrary URL Fetching.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Arbitrary URL Fetching The skill documents the `brew create URL` command, which allows the creation of a Homebrew formula by fetching content from an arbitrary, user-specified URL. If the LLM is prompted to use this command with a malicious or untrusted URL, it could lead to the download and potential execution of arbitrary code on the host system, posing a significant command injection and supply chain risk. The skill does not provide any safeguards or warnings regarding the use of untrusted URLs with this command. Add a prominent warning in the skill documentation advising against using `brew create URL` with untrusted or unverified URLs. Implement a mechanism in the LLM's tool execution layer to validate or restrict URLs provided to this command, or require explicit user confirmation for such operations. | LLM | SKILL.md:112 |
Scan History
Embed Code
[](https://skillshield.io/report/0ee0f68319527396)
Powered by SkillShield