Trust Assessment
merge-pr received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential command injection through unsanitized PR identifier, Arbitrary code execution and data exposure via sourcing untrusted `.local/prep.env`.
The analysis covered 4 layers: manifest_analysis, static_code_analysis, llm_behavioral_safety, dependency_graph. The llm_behavioral_safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary code execution and data exposure via sourcing untrusted `.local/prep.env` The skill explicitly sources the `.local/prep.env` file from the PR's worktree using `source .local/prep.env`. This file is part of the untrusted content of the Pull Request. If a malicious PR includes a `.local/prep.env` file containing arbitrary shell commands, these commands will be executed in the skill's environment with the permissions of the skill. This allows for arbitrary code execution (command injection). Furthermore, any sensitive information (e.g., API keys, tokens, environment variables) present in the skill's environment could be exfiltrated by commands placed in the malicious `.local/prep.env` file. Never `source` or `eval` untrusted files directly. If environment variables are needed from the PR, they should be extracted using a safe parser (e.g., a Python or Node.js script that reads the file line by line and parses `KEY=VALUE` pairs without executing them) and then explicitly set. Alternatively, if the intent is to allow the PR to define environment variables for its own build/test process, this should be done in an isolated, sandboxed environment that cannot affect the host system or exfiltrate data. | Unknown | SKILL.md:44 | |
| HIGH | Potential command injection through unsanitized PR identifier The skill executes shell commands like `scripts/pr-merge verify <PR>` and `scripts/pr-merge run <PR>`. The `<PR>` placeholder is expected to be provided by the user (PR number or URL). If this input is not properly sanitized before being passed to the shell, an attacker could inject arbitrary shell commands. For example, providing `123; malicious_command` as the PR identifier could lead to the execution of `malicious_command`. Implement robust input validation and sanitization for the `<PR>` argument. Ensure that only valid PR numbers or URLs are accepted, and escape any special shell characters before passing the input to `scripts/pr-merge`. Ideally, pass the PR identifier as a distinct argument to the script, rather than directly interpolating it into a shell string, or use a library/framework that handles argument parsing securely. | Unknown | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/13fb1f457ce3b2a2)
Powered by SkillShield