Trust Assessment
polymarket-latest-events received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via `curl` with user-controlled parameters.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `curl` with user-controlled parameters The skill explicitly suggests using `curl via Bash` to fetch data. It also describes 'Filtering Options' where parameters like `tag_id`, `order`, `limit`, and `series_id` can be customized. If the LLM constructs the `curl` command by directly interpolating user-provided values for these parameters without proper sanitization or shell escaping, a malicious user could inject arbitrary shell commands. For example, providing `tag_id=123; rm -rf /` could lead to command execution on the host system. Prefer using the `web_fetch` tool over `curl` for external HTTP requests, as `web_fetch` is typically implemented as a safer API call that handles URL encoding. If `curl` must be used, ensure all user-provided parameters are strictly validated (e.g., against a whitelist or type-checked) and/or properly shell-escaped before being interpolated into the `curl` command string. The LLM should be instructed to use a robust escaping mechanism for shell commands when constructing them from user input. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/95c1616575861505)
Powered by SkillShield