Trust Assessment
osori received a trust score of 52/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Command Injection via unsanitized root directory in scan-projects.sh.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unsanitized root directory in scan-projects.sh The `scan-projects.sh` script uses the `$ROOT` variable directly as an argument to the `find` command. If the first argument to the script (which sets `$ROOT`) contains shell metacharacters (e.g., `;`, `|`, `&`, `$(...)`, `` ` ``), it could lead to arbitrary command execution. Although `$ROOT` is double-quoted, this protects against word splitting and globbing, but not against command chaining or command substitution if the shell interprets the content of `$ROOT` as part of the command line before `find` is executed. Sanitize or validate the `$ROOT` argument to ensure it is a safe and valid directory path before passing it to `find`. This could involve using `realpath` to canonicalize and validate the path, or explicitly filtering out dangerous characters. For example, ensure the path only contains alphanumeric characters, slashes, dots, and hyphens, or use a more robust method to escape shell metacharacters if the path is intended to contain them. | LLM | scripts/scan-projects.sh:60 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/oozoofrog/osori/SKILL.md:18 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/oozoofrog/osori/scripts/add-project.sh:21 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/oozoofrog/osori/scripts/scan-projects.sh:18 |
Scan History
Embed Code
[](https://skillshield.io/report/10500c53840a7057)
Powered by SkillShield