Trust Assessment
steamcommunity received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via unsanitized user input in curl arguments, Sensitive session cookie exposed in shell command arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via unsanitized user input in curl arguments The skill's example `curl` commands directly interpolate environment variables (`$STEAM_ID`, `$APP_ID`, `$LAST_ASSET_ID`) into the URL string. If an LLM agent allows user-controlled input to populate these variables without proper sanitization or escaping, a malicious user could inject arbitrary shell commands by crafting input that breaks out of the URL string (e.g., `123; rm -rf /`). This could lead to arbitrary code execution on the host system. Implement robust input validation and sanitization for all user-provided variables (`STEAM_ID`, `APP_ID`, `LAST_ASSET_ID`) before constructing and executing shell commands. Ensure that these variables are properly escaped for shell execution context, or use a safer method for constructing the `curl` command (e.g., a dedicated HTTP client library in a scripting language that handles parameter encoding). | LLM | SKILL.md:39 | |
| MEDIUM | Sensitive session cookie exposed in shell command arguments The `STEAM_COOKIES` environment variable, which contains a sensitive `steamLoginSecure` session cookie, is directly interpolated into the `curl` command's `-H "Cookie: $STEAM_COOKIES"` argument. While necessary for authentication, this pattern means the full cookie value is present in the command line arguments. If the LLM agent's execution environment logs shell commands, or if the `curl` command's output (e.g., error messages) were to inadvertently echo parts of the request, the session cookie could be exposed in logs or to unauthorized parties. Avoid passing sensitive credentials directly in command-line arguments. If possible, use a method that allows `curl` to read the header from a file or standard input, or use a dedicated HTTP client library in a scripting language that handles secrets more securely (e.g., by not exposing them in process lists or logs). If direct command-line interpolation is unavoidable, ensure strict logging policies are in place to prevent command-line arguments from being logged. | LLM | SKILL.md:41 |
Scan History
Embed Code
[](https://skillshield.io/report/449adc2b93d2641a)
Powered by SkillShield