Trust Assessment
pagerduty received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential shell command injection via PAGERDUTY_ROUTING_KEY, Potential shell command injection via PAGERDUTY_API_KEY.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential shell command injection via PAGERDUTY_ROUTING_KEY The `curl` commands for triggering and resolving incidents embed the `PAGERDUTY_ROUTING_KEY` directly into a shell string within the JSON payload without proper escaping. If the `PAGERDUTY_ROUTING_KEY` environment variable contains malicious shell commands (e.g., `"; rm -rf /; echo "`), these commands could be executed by the shell when the `curl` command is run. Ensure that environment variables used in shell commands are properly escaped or sanitized before execution. For JSON payloads, consider using a tool like `jq` or a programming language to construct the JSON safely, or escape the variable content using shell parameter expansion like `"routing_key": "${PAGERDUTY_ROUTING_KEY@Q}"` (Bash 4.4+) or `"routing_key": "$(printf %q "$PAGERDUTY_ROUTING_KEY")"`. | LLM | SKILL.md:17 | |
| HIGH | Potential shell command injection via PAGERDUTY_API_KEY The `curl` commands for listing incidents, getting on-call, and listing services embed the `PAGERDUTY_API_KEY` directly into the `Authorization` header string without proper escaping. If the `PAGERDUTY_API_KEY` environment variable contains malicious shell commands (e.g., `"; rm -rf /; echo "`), these commands could be executed by the shell when the `curl` command is run. Ensure that environment variables used in shell commands are properly escaped or sanitized before execution. For example, use `"Authorization: Token token=$(printf %q "$PAGERDUTY_API_KEY")"` or `"Authorization: Token token=${PAGERDUTY_API_KEY@Q}"` (Bash 4.4+) to safely embed the variable. | LLM | SKILL.md:39 |
Scan History
Embed Code
[](https://skillshield.io/report/77253ec10d57731f)
Powered by SkillShield