Trust Assessment
newrelic received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include JSON/GraphQL Injection via unescaped environment variable in curl payload.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | JSON/GraphQL Injection via unescaped environment variable in curl payload The `curl` command example for querying NRQL directly interpolates the `$NEWRELIC_ACCOUNT_ID` environment variable into the JSON payload without proper escaping. If `$NEWRELIC_ACCOUNT_ID` contains special characters (e.g., `"`, `\`, or GraphQL syntax), an attacker could inject arbitrary JSON or GraphQL fragments. This could lead to malformed requests, denial of service, or potentially unintended API calls and data exfiltration if the injected fragments are valid GraphQL and the API key has sufficient permissions. Ensure that environment variables interpolated into JSON payloads are properly JSON-escaped. For shell scripts, use `jq` for robust JSON construction, or use `printf` with appropriate escaping. If `NEWRELIC_ACCOUNT_ID` is always an integer, ensure it's cast to an integer before use. If it's a string, it must be properly JSON-escaped before inclusion in the payload. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/f2f93e9e887d1ea7)
Powered by SkillShield