Trust Assessment
nginx-config-creator received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Command Injection via `CONTAINER_NAME` in `docker exec`, Command Injection during `CONF_FILE_PATH` variable assignment.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/xieyuanqing/nginx-config-creator/scripts/create-and-reload.sh:65 | |
| CRITICAL | Command Injection via `CONTAINER_NAME` in `docker exec` The `CONTAINER_NAME` variable, which is populated directly from user input (either via `--container-name` argument or `NGINX_CONTAINER_NAME` environment variable), is used without sanitization in `docker exec "$CONTAINER_NAME"`. An attacker can inject arbitrary shell commands into `CONTAINER_NAME` (e.g., `my_container; rm -rf /; #`) which will be executed on the host system with the privileges of the skill, leading to arbitrary code execution. Implement strict validation for `CONTAINER_NAME` to ensure it only contains characters valid for Docker container names. Avoid direct interpolation of untrusted input into shell commands. Consider using `printf %q` for escaping if direct shell execution is unavoidable, or use a Docker API client with restricted permissions. | LLM | scripts/create-and-reload.sh:78 | |
| HIGH | Command Injection during `CONF_FILE_PATH` variable assignment The `CONF_FILE_PATH` variable is constructed by concatenating user-controlled inputs `CONFIG_PATH` and `SERVICE_NAME` (e.g., `CONF_FILE_PATH="${CONFIG_PATH}/${SERVICE_NAME}.conf"`). If `CONFIG_PATH` or `SERVICE_NAME` contain shell metacharacters (e.g., `"; evil_command #"`), these commands will be executed by the shell during the variable assignment itself, leading to arbitrary code execution on the host system. Implement strict validation for `CONFIG_PATH` and `SERVICE_NAME` to ensure they only contain characters safe for file paths and do not contain shell metacharacters. Avoid direct concatenation of untrusted input into shell variable assignments without proper escaping or validation. | LLM | scripts/create-and-reload.sh:50 | |
| MEDIUM | Direct `docker` command execution grants broad host access The skill's manifest declares a dependency on `docker` and the script directly executes `docker exec` commands. This grants the skill broad access to the host's Docker daemon. While necessary for its intended function, this level of access, especially when combined with command injection vulnerabilities, significantly increases the attack surface and potential for host compromise or container escape. The skill operates with high privileges by interacting directly with Docker. Ensure all inputs to `docker` commands are strictly validated and sanitized. Consider running the skill in an environment with restricted Docker permissions (e.g., a non-root user, or a Docker socket proxy with fine-grained access control). Explore alternative methods for Nginx configuration management that do not require direct `docker exec` if possible, or use a Docker API client with the least necessary privileges. | LLM | Manifest:78 |
Scan History
Embed Code
[](https://skillshield.io/report/e65e5c2e56175479)
Powered by SkillShield