Trust Assessment
read-github received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 3 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.Popen(), Unpinned `npx` dependency allows arbitrary code execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/am-will/read-github/scripts/gitmcp.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/am-will/read-github/scripts/gitmcp.py:93 | |
| CRITICAL | Unpinned `npx` dependency allows arbitrary code execution The `scripts/gitmcp.py` script uses `subprocess.Popen` to execute `npx -y mcp-remote`. The `npx` command, when used without a version specifier, fetches and executes the latest available version of the `mcp-remote` package from npm. This constitutes an unpinned dependency. An attacker could publish a malicious update to the `mcp-remote` package, and this skill would automatically download and execute the malicious code, leading to arbitrary code execution on the host system. The `-y` flag further exacerbates this by automatically confirming the installation without user intervention. Pin the version of `mcp-remote` to a known good version (e.g., `npx -y mcp-remote@1.2.3`). Alternatively, install `mcp-remote` globally or locally with a pinned version using a package manager like `npm` or `yarn` and ensure its integrity, then call the installed executable directly instead of relying on `npx` to fetch it. | LLM | scripts/gitmcp.py:49 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'list_tools'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/am-will/read-github/scripts/gitmcp.py:62 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'call_tool'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/am-will/read-github/scripts/gitmcp.py:93 | |
| HIGH | Skill can fetch content from arbitrary URLs The `fetch-url` command and the underlying `fetch_generic_url_content` tool allow the skill to retrieve content from any URL provided by the user. While this is a designed feature for accessing referenced documentation, it grants the skill broad network access. This capability could be abused by a malicious user to:
1. Probe internal networks if the skill's execution environment has such access (Server-Side Request Forgery - SSRF).
2. Exfiltrate sensitive data from external services if a user provides a URL pointing to such data.
3. Consume excessive network resources or trigger denial-of-service against arbitrary targets.
The skill description mentions 'respecting robots.txt', which is a partial mitigation but not a full security guarantee against malicious intent or misconfiguration. Implement strict URL validation within the `mcp-remote` service or the skill itself. This could include allow-listing specific domains, disallowing private IP ranges, or restricting protocols. Clearly document the security implications of this feature to users and administrators. Consider if such broad URL fetching is strictly necessary or if it can be scoped down to only trusted sources. | LLM | scripts/gitmcp.py:105 |
Scan History
Embed Code
[](https://skillshield.io/report/fcff4a7337201823)
Powered by SkillShield