Trust Assessment
openhue received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via user-controlled arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via user-controlled arguments The skill defines CLI commands that incorporate user-controlled input (e.g., `<id-or-name>`, `<id>`) as arguments. If the LLM constructs these commands by directly substituting user input without proper sanitization or shell escaping, an attacker could inject arbitrary shell commands. This allows for potential remote code execution by crafting malicious input for light IDs, names, or other parameters. Implement robust input validation and sanitization for all user-provided arguments before constructing and executing shell commands. Ensure that arguments are properly quoted or escaped to prevent shell metacharacter interpretation. Consider using a library or framework that safely handles command execution with arguments, such as `subprocess.run` with `shell=False` and passing arguments as a list. | LLM | SKILL.md:18 |
Scan History
Embed Code
[](https://skillshield.io/report/4b0a155fa9dd6f31)
Powered by SkillShield