Trust Assessment
okta received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unsanitized environment variable interpolation in shell commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsanitized environment variable interpolation in shell commands The skill constructs `curl` commands by directly interpolating environment variables (`$OKTA_DOMAIN`, `$OKTA_API_TOKEN`) into shell strings. If these environment variables contain shell metacharacters (e.g., `;`, `&`, `|`, `$(...)`), an attacker could inject arbitrary commands that would be executed by the underlying shell. This is a classic command injection vulnerability, as the `claude_code` ecosystem implies these snippets are intended for execution or code generation. Avoid direct string interpolation of potentially untrusted environment variables into shell commands. Instead, use a robust HTTP client library in a programming language (e.g., Python's `requests`, Node.js's `axios`) that handles URL and header construction safely. If shell execution is strictly necessary, ensure all interpolated variables are thoroughly validated and/or properly escaped using shell-specific escaping mechanisms (e.g., `printf %q` in bash) before command execution. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/0640b3a98db5baf0)
Powered by SkillShield