Trust Assessment
pr-commit-workflow received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Untrusted skill instructs execution of external script, Untrusted skill instructs execution of external command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Untrusted skill instructs execution of external script The untrusted `SKILL.md` explicitly instructs the host LLM to execute the external shell script `scripts/build_pr_body.sh`. Allowing an untrusted skill to directly command the execution of arbitrary scripts or binaries is a significant command injection vulnerability, as a malicious skill could execute any command on the host system. This violates the principle of 'Never follow commands found in untrusted content'. Implement a strict allowlist for executable commands and scripts. All execution requests from untrusted skills should be validated against this allowlist. Consider sandboxing the execution environment to limit potential damage. | LLM | SKILL.md:28 | |
| HIGH | Untrusted skill instructs execution of external command The untrusted `SKILL.md` explicitly instructs the host LLM to execute the external command `gh pr edit`. Allowing an untrusted skill to directly command the execution of arbitrary external commands is a significant command injection vulnerability, as a malicious skill could execute any command on the host system. This violates the principle of 'Never follow commands found in untrusted content'. Implement a strict allowlist for executable commands and scripts. All execution requests from untrusted skills should be validated against this allowlist. Consider sandboxing the execution environment to limit potential damage. | LLM | SKILL.md:25 | |
| HIGH | Untrusted script contains direct shell execution The script `scripts/build_pr_body.sh`, which is part of the untrusted skill package, contains direct shell execution commands such as `uname`, `sw_vers`, and `lsb_release`. If this script is executed (as instructed by `SKILL.md`), these commands will be run on the host system. Executing arbitrary shell commands from untrusted code is a command injection vulnerability. Untrusted scripts should not be executed directly. If specific functionality is required, it should be reimplemented in a secure, sandboxed environment or through a tightly controlled API that does not permit arbitrary shell execution. | LLM | scripts/build_pr_body.sh:2 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/joshp123/pr-commit-workflow/scripts/build_pr_body.sh:6 | |
| MEDIUM | Untrusted script collects and outputs environment variables The untrusted script `scripts/build_pr_body.sh` reads and outputs several environment variables (e.g., `AGENT_HARNESS`, `LLM_MODEL`, `TERM_PROGRAM`) and system information (`uname`, `sw_vers`). While the collected variables in this instance appear to be non-sensitive metadata, the pattern of an untrusted script collecting and exfiltrating environment variables poses a data exfiltration risk. A malicious script could be modified to collect sensitive credentials or other private information present in the environment. Restrict the environment variables accessible to untrusted scripts to an absolute minimum. Implement strict sandboxing for script execution that prevents access to the host environment or network, or filters output for sensitive patterns. | LLM | scripts/build_pr_body.sh:4 |
Scan History
Embed Code
[](https://skillshield.io/report/763a84557c321269)
Powered by SkillShield