Trust Assessment
mcdonald received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Shell injection via MCD_TOKEN in Authorization header, Shell injection via MCD_MCP_URL in curl URL, Potential API/JSON injection via dynamic 'arguments' placeholder.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Shell injection via MCD_TOKEN in Authorization header The skill constructs a `MCD_AUTH` shell variable using `MCD_TOKEN` and then uses it within double quotes in a `curl` command (`-H "$MCD_AUTH"`). If the `MCD_TOKEN` environment variable contains shell metacharacters (e.g., newlines, backticks, semicolons, or double quotes), an attacker could inject arbitrary shell commands or manipulate the `curl` request by breaking out of the quoted string or injecting new headers/arguments. This is a direct command injection vulnerability. Ensure that `MCD_TOKEN` is properly sanitized or shell-escaped before being used in shell commands. A safer approach would be to pass the token directly to `curl` using a mechanism that doesn't involve shell variable interpolation, or to strictly validate the content of `MCD_TOKEN` to prevent metacharacters. For example, using `printf %q` or similar shell quoting mechanisms if the execution environment supports it. | LLM | SKILL.md:36 | |
| HIGH | Shell injection via MCD_MCP_URL in curl URL The skill constructs a `MCD_URL` shell variable using `MCD_MCP_URL` and then uses it within double quotes in a `curl` command (`"$MCD_URL"`). If the `MCD_MCP_URL` environment variable contains shell metacharacters (e.g., double quotes, backticks, semicolons, or newlines), an attacker could inject arbitrary shell commands or manipulate the `curl` request's target by breaking out of the quoted string. This is a direct command injection vulnerability. Ensure that `MCD_MCP_URL` is properly sanitized or shell-escaped before being used in shell commands. A safer approach would be to strictly validate the content of `MCD_MCP_URL` to prevent metacharacters or use a `curl` option that explicitly takes the URL without shell interpretation (e.g., `-K` with a config file, or a programming language binding that handles escaping). | LLM | SKILL.md:35 | |
| MEDIUM | Potential API/JSON injection via dynamic 'arguments' placeholder The general '调用方式' (Calling Method) section shows a placeholder `<参数>` within the `arguments` field of the JSON payload (`"arguments":{<参数>}`). While the specific examples provided use fixed or empty arguments, this placeholder implies that the LLM might dynamically insert user-provided input into this field. If user input is directly inserted without proper JSON escaping or validation, it could lead to JSON injection, allowing an attacker to manipulate the API call to the MCP service (e.g., changing the method, injecting other parameters, or causing unexpected behavior). This is a risk for the downstream API. If `arguments` are to be dynamically generated from user input, the LLM must be instructed to strictly validate and JSON-escape all user-provided values before insertion. Alternatively, define a strict schema for `arguments` and only allow predefined values or types, preventing arbitrary user input from being inserted. | LLM | SKILL.md:41 |
Scan History
Embed Code
[](https://skillshield.io/report/93bf6abb813103c4)
Powered by SkillShield