Trust Assessment
publisher received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via user-controlled awk variable, Command Injection via untrusted SKILL_NAME in gh CLI call, Unpinned dependencies in installation instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via user-controlled awk variable The script takes user input for `CHOSEN_DESC` when the user selects option 'D' for the one-liner. This user-controlled string is then directly interpolated into an `awk` command using `-v desc="$CHOSEN_DESC"`. An attacker can inject arbitrary `awk` code, including `system()` calls, by crafting a malicious `CHOSEN_DESC` that breaks out of the variable assignment. For example, `foo"; system("rm -rf /")` could execute `rm -rf /`. Properly sanitize or escape the `CHOSEN_DESC` variable before passing it to `awk -v`. A safer approach might be to pass the description via a temporary file or use a more robust parsing library that doesn't rely on direct shell interpolation of untrusted strings. If `awk` must be used, ensure the variable content is strictly sanitized or quoted in a way that prevents `awk` code injection, for example, by escaping all special `awk` characters or using a method that treats the input purely as data. | LLM | scripts/publish.sh:130 | |
| HIGH | Command Injection via untrusted SKILL_NAME in gh CLI call The `SKILL_NAME` variable is extracted from the `SKILL.md` frontmatter, which is untrusted content. This variable is then used directly in the `gh repo create "$SKILL_NAME"` command. If an attacker can control the `name` field in `SKILL.md` (e.g., `name: myrepo; rm -rf /`), they could inject arbitrary shell commands that would be executed by the `gh` CLI subprocess. Sanitize `SKILL_NAME` to ensure it only contains valid characters for a GitHub repository name (e.g., alphanumeric characters, hyphens) before passing it to `gh repo create`. Alternatively, use a library or function that safely handles subprocess arguments, preventing shell metacharacter interpretation. | LLM | scripts/publish.sh:160 | |
| MEDIUM | Unpinned dependencies in installation instructions The script provides installation instructions for `jq`, `gh`, and `clawdhub` using `brew install` and `npm install -g`. These commands install the latest available versions of the tools without specifying a version. This introduces a supply chain risk, as a malicious update to any of these packages could be automatically installed and executed on the user's system. Recommend pinning dependency versions where possible (e.g., `npm install -g clawdhub@1.2.3`). For `brew`, while direct version pinning is harder, users should be advised to review updates. For critical tools, consider vendoring or using containerized environments to ensure consistent and controlled dependencies. | LLM | scripts/publish.sh:20 |
Scan History
Embed Code
[](https://skillshield.io/report/96665dcba7099bee)
Powered by SkillShield