Trust Assessment
hotdog received a trust score of 37/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Hardcoded Bearer Token detected, Command Injection via LLM-generated variables, Hardcoded API Key/Bearer Token.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via LLM-generated variables The `exec` command directly substitutes LLM-generated `ANSWER` and `DESCRIPTION` variables into a `curl` command without proper escaping. If the LLM is manipulated to generate output containing shell metacharacters (e.g., backticks, semicolons, dollar signs), it could lead to arbitrary command execution on the host system. Ensure that all LLM-generated variables (`ANSWER`, `DESCRIPTION`) are properly escaped for shell execution before being substituted into the `exec` command. For example, use a shell-specific escaping mechanism like `printf %q` or a dedicated library function if available in the execution environment. | LLM | SKILL.md:20 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/mishafyi/temp/SKILL.md:24 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/mishafyi/temp/SKILL.md:31 | |
| MEDIUM | Hardcoded API Key/Bearer Token A bearer token (`ih1rtmC7ECm8iExqvI6zMbOAqEaXIi9X`) is hardcoded directly within the `SKILL.md` file. Hardcoding credentials makes them publicly visible, difficult to rotate, and increases the risk of compromise if the skill definition is exposed or shared. This token is used for authentication to `api.hotdogornot.xyz`. Remove the hardcoded bearer token from `SKILL.md`. Instead, store the token securely in an environment variable or a secrets management system. Reference this variable dynamically within the `exec` command (e.g., `"Authorization: Bearer $HOTDOG_API_KEY"`). The `config.py` file already defines `battle_token` for this purpose, but it is not being used by the `SKILL.md`. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/0fa56607b0b4fcbc)
Powered by SkillShield