Trust Assessment
merge-pr received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution via sourcing untrusted environment file, Path traversal vulnerability in worktree directory creation and deletion.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution via sourcing untrusted environment file The skill explicitly uses `source .local/prep.env`, which executes the content of the `.local/prep.env` file as shell commands. This file is generated by a previous skill (`/prepare-pr`) and its content can be influenced by an untrusted GitHub Pull Request (PR). An attacker could craft a malicious PR that, when processed by `/prepare-pr`, injects arbitrary shell commands into `.local/prep.env`. When `/merge-pr` then `source`s this file, these malicious commands would be executed on the host system with the permissions of the agent. This constitutes a direct command injection vulnerability. Avoid `source`ing files whose content is derived from untrusted input. Instead, parse the `.env` file safely, for example, by using `grep -E '^[A-Z_]+=' .local/prep.env | xargs -I {} export {}` to only export lines that strictly conform to environment variable assignments. Additionally, ensure that the `/prepare-pr` skill rigorously sanitizes any content derived from the PR before writing it to `.local/prep.env`. | LLM | SKILL.md:88 | |
| HIGH | Path traversal vulnerability in worktree directory creation and deletion The skill constructs directory paths using a placeholder `<PR>` (e.g., `WORKTREE_DIR=".worktrees/pr-<PR>"`) and then uses these paths in commands like `cd "$WORKTREE_DIR"` and `git worktree remove ".worktrees/pr-<PR>"`. If the value provided for `<PR>` is not strictly validated to be a numeric PR number and can contain path traversal sequences (e.g., `/../`), an attacker could manipulate the path to target arbitrary directories. This could lead to unintended directory changes or the deletion of sensitive files/directories outside the intended worktree scope when `git worktree remove` is executed. Implement strict input validation for the `<PR>` variable, ensuring it is a numeric PR identifier and does not contain any path separators (`/`, `\`) or other special characters. Before using paths constructed with user input, canonicalize them to resolve any `..` sequences and verify they remain within the intended base directory. | LLM | SKILL.md:64 |
Scan History
Embed Code
[](https://skillshield.io/report/e03c9df303e9616c)
Powered by SkillShield