Trust Assessment
prepare-pr received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via Sourcing Untrusted Environment File, Command Injection via Execution of Untrusted Build/Test Scripts, Command Injection Risk via Malicious Environment File Creation for Downstream Skill.
The analysis covered 4 layers: dependency_graph, static_code_analysis, llm_behavioral_safety, manifest_analysis. The llm_behavioral_safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Sourcing Untrusted Environment File The skill directly sources `.local/pr-meta.env` using the `source` command. If this file contains user-controlled input (e.g., from a PR title, description, or author name saved by the `/review-pr` skill) that is not properly sanitized, an attacker can inject arbitrary shell commands. These commands will be executed with the permissions of the agent. Avoid sourcing environment files that may contain untrusted input. Instead, parse the file line by line, carefully extracting and sanitizing key-value pairs before using them. Ensure that any upstream process (like `/review-pr`) that writes to `.local/pr-meta.env` strictly sanitizes all user-controlled data to prevent shell metacharacters from being written. | Unknown | SKILL.md:56 | |
| CRITICAL | Command Injection via Execution of Untrusted Build/Test Scripts The skill executes `pnpm build`, `pnpm check`, and `pnpm test` commands within the PR's worktree. The `package.json` and associated scripts (e.g., `scripts` section) are part of the untrusted content from the pull request. An attacker can craft a malicious `package.json` to execute arbitrary commands during these `pnpm` calls, leading to full compromise of the agent's environment. Do not execute build or test scripts from untrusted repositories directly. Implement a secure sandboxing mechanism (e.g., containerization, virtual machines) to isolate the execution of untrusted code. Alternatively, perform static analysis of `package.json` scripts for suspicious commands before execution, or restrict the environment in which these commands run. | Unknown | SKILL.md:136 | |
| HIGH | Command Injection Risk via Malicious Environment File Creation for Downstream Skill The skill writes user-controlled variables such as `$contrib` (PR author login) and `$head` (PR head branch name) directly into `.local/prep.env`. This file is explicitly intended for 'merge handoff' to the `/mergepr` skill. If `/mergepr` sources this `.env` file or uses its contents in shell commands without proper escaping, an attacker could inject arbitrary commands by crafting their GitHub username or branch name, leading to command injection in the downstream skill. When writing user-controlled data to files intended for shell sourcing or command line use, ensure all variables are properly escaped to prevent shell metacharacter injection. For environment files, consider using a format that does not allow direct execution (e.g., JSON) or strictly sanitize values before writing. The downstream skill (`/mergepr`) must also be hardened against sourcing untrusted `.env` files. | Unknown | SKILL.md:204 | |
| MEDIUM | Potential Command Injection via Custom Committer Script with User-Controlled Input The skill calls a custom script `scripts/committer` and passes a `commit_msg` that includes `$contrib` (PR author login), which is user-controlled. The implementation of `scripts/committer` is not provided. If this script is a shell script and does not properly quote or sanitize its arguments, an attacker could inject commands by crafting a malicious GitHub username. Review the `scripts/committer` implementation to ensure it properly sanitizes or quotes all arguments derived from user-controlled input. Ideally, custom scripts should be written in a language that offers better protection against shell injection than raw shell scripting, or use robust argument parsing libraries. | Unknown | SKILL.md:105 |
Scan History
Embed Code
[](https://skillshield.io/report/4c44e088a078af85)
Powered by SkillShield