Trust Assessment
skill-sharer received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 7 findings: 2 critical, 3 high, 2 medium, and 0 low severity. Key findings include Command Injection via user-controlled skill path, Command Injection via skill name or description in git commit message, Command Injection in `generate-readme.sh` via skill directory.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via user-controlled skill path The `share-skill.sh` script directly uses the user-provided `SKILL_PATH` in a `cd` command without proper sanitization or quoting. An attacker can inject arbitrary shell commands by crafting a malicious `SKILL_PATH` (e.g., `$(rm -rf /)`). This vulnerability is then propagated to `sanitize.sh` and `generate-readme.sh` which also use the unsanitized path. Sanitize or strictly validate `SKILL_PATH` before using it in shell commands. Consider using `printf %q` for quoting or ensuring the path does not contain special characters. Alternatively, use a safer method to resolve the absolute path that doesn't involve `cd` with untrusted input. | LLM | scripts/share-skill.sh:40 | |
| CRITICAL | Command Injection via skill name or description in git commit message The `share-skill.sh` script constructs a `git commit` message using user-provided `SKILL_NAME` and `DESCRIPTION`. If these variables contain shell metacharacters (e.g., backticks `` ` `` or `$(command)`), they can lead to arbitrary command execution during the `git commit` operation. Escape or sanitize `SKILL_NAME` and `DESCRIPTION` before including them in the `git commit` message. Use `printf %q` to properly quote the variables for shell execution context, or ensure they are passed as literal strings to `git`. | LLM | scripts/share-skill.sh:120 | |
| HIGH | Command Injection in `generate-readme.sh` via skill directory The `generate-readme.sh` script uses the `SKILL_DIR` (derived from user-controlled `SKILL_PATH`) in multiple commands like `grep`, `find`, `cat >`, and `sed`. If `SKILL_DIR` contains shell metacharacters, it can lead to command injection. For example, `$(command)` in the directory name could be executed. Ensure `SKILL_DIR` is properly sanitized or quoted before being used in shell commands. Use `printf %q` for quoting or validate the path to prevent injection. | LLM | scripts/generate-readme.sh:10 | |
| HIGH | Command Injection in `sanitize.sh` via input/output directories The `sanitize.sh` script uses `INPUT_DIR` (user-controlled `SKILL_PATH`) and `OUTPUT_DIR` in commands like `cp -r` and `find`. If `INPUT_DIR` or `OUTPUT_DIR` contain shell metacharacters, it can lead to command injection. For example, `cp -r '$(evil_command)'/. ...` could execute `evil_command`. Sanitize or strictly validate `INPUT_DIR` and `OUTPUT_DIR` before using them in shell commands. Use `printf %q` for quoting or ensure paths do not contain special characters. | LLM | scripts/sanitize.sh:19 | |
| HIGH | Excessive Permissions: GitHub repository write access The `share-skill.sh` script performs `gh repo clone`, `git add`, `git commit`, and `git push` operations to a hardcoded GitHub repository (`henrino3/Enterprise-Crew-skills`). This requires the agent to have write permissions to this repository. Granting an automated agent such broad write access to a public repository poses a significant risk if the agent or skill is compromised, potentially leading to unauthorized code changes, data exfiltration, or supply chain attacks. Implement stricter access controls. Consider using a dedicated GitHub App or a fine-grained personal access token with minimal necessary permissions (e.g., only to a specific branch or for specific file paths). Implement a pull request workflow where the agent creates a PR, and a human reviews and merges it, rather than direct push access. | LLM | scripts/share-skill.sh:121 | |
| MEDIUM | Prompt Injection / Hidden Instructions in generated README.md The `update-index.sh` script inserts user-controlled `SKILL_NAME` and `DESCRIPTION` directly into the `README.md` file. If these inputs contain specially crafted markdown or text (e.g., `[IMPORTANT: IGNORE ALL PREVIOUS INSTRUCTIONS]`), they could be interpreted as prompt injection attempts by an LLM processing the `README.md`, or as hidden instructions for a human user. Malicious links or embedded scripts could also be introduced. Sanitize `SKILL_NAME` and `DESCRIPTION` to remove or escape any markdown formatting or special characters before inserting them into the `README.md`. For example, escape `[`, `]`, `(`, `)`, `|`, etc., to prevent them from being interpreted as markdown. | LLM | scripts/update-index.sh:13 | |
| MEDIUM | Data Exfiltration Risk due to potential sanitization bypass The `sanitize.sh` script attempts to strip sensitive information using regex patterns. However, no sanitization is foolproof. An attacker could encode or obfuscate sensitive data in a way that bypasses the current regexes. Since the `share-skill.sh` script then performs a `git push` to a public repository, any data that bypasses sanitization would be exfiltrated. While a 'LEAKS' check is present, it's not exhaustive and serves as a warning rather than a preventative measure. Enhance sanitization rules with more robust patterns, consider multiple layers of sanitization, or implement a 'deny-by-default' approach for publishing. For highly sensitive skills, manual review of the sanitized output should be mandatory before publishing. The 'LEAKS' check should be expanded and potentially block pushes if critical patterns are found. | LLM | scripts/share-skill.sh:121 |
Scan History
Embed Code
[](https://skillshield.io/report/d6b0d3dce2dce1cb)
Powered by SkillShield