Trust Assessment
irish-takeaway received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via user-controlled arguments in shell script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via user-controlled arguments in shell script The `search-takeaways.sh` script directly interpolates user-provided arguments (`CUISINE` and `RADIUS`) into a shell command (`goplaces search ...`). Command substitution (e.g., `$(command)`) and other shell metacharacters are expanded within double-quoted variables in bash. This allows an attacker to inject and execute arbitrary shell commands on the host system by crafting malicious input for `CUISINE` or `RADIUS`. Validate and sanitize user inputs (`CUISINE`, `RADIUS`) before using them in shell commands. For `RADIUS`, ensure it's a numeric value. For `CUISINE`, consider whitelisting allowed characters or using `printf %q` to properly quote the arguments for safe shell execution. For example, `CUISINE_SAFE=$(printf %q "$CUISINE")` and then use `$CUISINE_SAFE` in the command. | LLM | search-takeaways.sh:40 |
Scan History
Embed Code
[](https://skillshield.io/report/7dd4f33745c59db7)
Powered by SkillShield