Trust Assessment
skanetrafiken received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via unvalidated datetime input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unvalidated datetime input The `journey.sh` script is vulnerable to command injection. The `parse_datetime_input` function directly passes user-controlled input (`$DATETIME_INPUT`) to the `date -d` (GNU date) or `date -j -f` (BSD date) commands without proper sanitization or validation. An attacker can inject arbitrary shell commands by crafting the `datetime` argument with shell metacharacters (e.g., `;`, `|`, `&`). This allows for arbitrary code execution on the system running the skill. Implement strict validation and sanitization of the `DATETIME_INPUT` variable before passing it to the `date` command. Instead of directly passing the raw input, parse the date and time components using robust string manipulation or regular expressions, and then construct the `date` command arguments from these validated components. Alternatively, use a safer date parsing utility that does not execute arbitrary shell commands. | LLM | journey.sh:130 |
Scan History
Embed Code
[](https://skillshield.io/report/02ae55abc938f7da)
Powered by SkillShield