Trust Assessment
skill-publisher-claw-skill received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 7 critical, 0 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $HOME, Unquoted variable in git command leads to command injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unquoted variable in git command leads to command injection The `git log` command in `changelog.sh` uses the `$RANGE` variable without quotes. If an attacker can control the value of `$RANGE` (e.g., by manipulating the `--since` argument), they can inject arbitrary shell commands that will be executed by the script. This is a classic command injection vulnerability. Always quote variables that contain user-controlled or potentially untrusted input when used in shell commands. Change `git log $RANGE` to `git log "$RANGE"` for all occurrences in the script. | LLM | changelog.sh:40 | |
| CRITICAL | Unquoted variable in git command leads to command injection The `git log` command in `changelog.sh` uses the `$RANGE` variable without quotes. If an attacker can control the value of `$RANGE` (e.g., by manipulating the `--since` argument), they can inject arbitrary shell commands that will be executed by the script. This is a classic command injection vulnerability. Always quote variables that contain user-controlled or potentially untrusted input when used in shell commands. Change `git log $RANGE` to `git log "$RANGE"` for all occurrences in the script. | LLM | changelog.sh:44 | |
| CRITICAL | Unquoted variable in git command leads to command injection The `git log` command in `changelog.sh` uses the `$RANGE` variable without quotes. If an attacker can control the value of `$RANGE` (e.g., by manipulating the `--since` argument), they can inject arbitrary shell commands that will be executed by the script. This is a classic command injection vulnerability. Always quote variables that contain user-controlled or potentially untrusted input when used in shell commands. Change `git log $RANGE` to `git log "$RANGE"` for all occurrences in the script. | LLM | changelog.sh:48 | |
| CRITICAL | Unquoted variable in git command leads to command injection The `git log` command in `changelog.sh` uses the `$RANGE` variable without quotes. If an attacker can control the value of `$RANGE` (e.g., by manipulating the `--since` argument), they can inject arbitrary shell commands that will be executed by the script. This is a classic command injection vulnerability. Always quote variables that contain user-controlled or potentially untrusted input when used in shell commands. Change `git log $RANGE` to `git log "$RANGE"` for all occurrences in the script. | LLM | changelog.sh:52 | |
| CRITICAL | Unquoted variable in git command leads to command injection The `git log` command in `changelog.sh` uses the `$RANGE` variable without quotes. If an attacker can control the value of `$RANGE` (e.g., by manipulating the `--since` argument), they can inject arbitrary shell commands that will be executed by the script. This is a classic command injection vulnerability. Always quote variables that contain user-controlled or potentially untrusted input when used in shell commands. Change `git log $RANGE` to `git log "$RANGE"` for all occurrences in the script. | LLM | changelog.sh:56 | |
| CRITICAL | Unquoted variable in git command leads to command injection The `git log` command in `changelog.sh` uses the `$RANGE` variable without quotes. If an attacker can control the value of `$RANGE` (e.g., by manipulating the `--since` argument), they can inject arbitrary shell commands that will be executed by the script. This is a classic command injection vulnerability. Always quote variables that contain user-controlled or potentially untrusted input when used in shell commands. Change `git log $RANGE` to `git log "$RANGE"` for all occurrences in the script. | LLM | changelog.sh:57 | |
| CRITICAL | Unquoted variable in git command leads to command injection The `git log` command in `changelog.sh` uses the `$RANGE` variable without quotes. If an attacker can control the value of `$RANGE` (e.g., by manipulating the `--since` argument), they can inject arbitrary shell commands that will be executed by the script. This is a classic command injection vulnerability. Always quote variables that contain user-controlled or potentially untrusted input when used in shell commands. Change `git log $RANGE` to `git log "$RANGE"` for all occurrences in the script. | LLM | changelog.sh:61 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/acastellana/skill-publisher-claw-skill/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/acastellana/skill-publisher-claw-skill/audit.sh:89 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/acastellana/skill-publisher-claw-skill/fix.sh:149 |
Scan History
Embed Code
[](https://skillshield.io/report/0d8c3402e0499857)
Powered by SkillShield