Trust Assessment
increment-planner received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Untrusted content instructs LLM to execute shell command with potential for injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Untrusted content instructs LLM to execute shell command with potential for injection The `SKILL.md` (untrusted content) explicitly instructs the LLM to use the `specweave create-increment` shell command. While the `description` argument, when passed to the skill, is processed and sanitized by `scripts/feature-utils.js` for generating the `shortName` (used in directory paths), there is no explicit sanitization demonstrated for other arguments like `--id` or `--project` if they were to be dynamically derived from untrusted user input by the LLM. If the `specweave` tool itself does not robustly sanitize all its arguments before execution, a malicious user could craft input that leads to command injection, potentially executing arbitrary commands on the host system. Ensure all arguments passed to `specweave create-increment` that originate from untrusted user input are thoroughly sanitized and properly quoted/escaped before shell execution. Implement robust input validation and sanitization for all parameters of the `specweave` command. Consider using a safer API or a dedicated tool invocation mechanism that prevents shell injection, rather than constructing shell commands directly from potentially untrusted input. | LLM | SKILL.md:69 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/anton-abyzov/sw-increment-planner/scripts/feature-utils.js:181 |
Scan History
Embed Code
[](https://skillshield.io/report/6377c87859e29230)
Powered by SkillShield