Trust Assessment
ogt-docs-create received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via Unsanitized Script Argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via Unsanitized Script Argument The 'create-feature-with-tasks.sh' script, provided as an example for batch creation, uses the first argument ($1, representing the feature name) directly in shell commands (mkdir -p, cat >) without proper sanitization or quoting. This allows for command injection if the script is executed with untrusted input containing shell metacharacters. For example, passing 'my-feature; rm -rf /' as the feature name would execute 'rm -rf /'. This vulnerability appears in multiple locations within the script where the `$FEATURE` variable is used. When generating or executing shell scripts with user-provided input, ensure all variables are properly sanitized and quoted. For file paths, use `printf %q` or similar methods to escape special characters. For this specific script, modify lines like `mkdir -p docs/define/features/$FEATURE` to `mkdir -p "docs/define/features/$FEATURE"` and ensure all other instances of `$FEATURE` in shell commands are similarly protected. | LLM | SKILL.md:170 |
Scan History
Embed Code
[](https://skillshield.io/report/a8e79e8e328ae093)
Powered by SkillShield