Trust Assessment
trello received a trust score of 84/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized User Input, Sensitive Credentials Exposed in URL Query Parameters.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Unsanitized User Input The skill provides `curl` command examples that include placeholders for user-supplied values (e.g., `{boardId}`, `{listId}`, `Card Title`, `Card description`, `Your comment here`). If an LLM directly interpolates untrusted user input into these command templates without proper sanitization (e.g., shell escaping, URL encoding), it could lead to command injection. An attacker could craft malicious input to execute arbitrary shell commands on the host system where the skill is run. Implement robust input validation and sanitization for all user-provided parameters before constructing and executing shell commands. Ensure that all dynamic parts of the command are properly escaped or quoted to prevent shell metacharacter interpretation. For example, use a library or function that safely escapes arguments for shell execution. | LLM | SKILL.md:31 | |
| MEDIUM | Sensitive Credentials Exposed in URL Query Parameters The `TRELLO_API_KEY` and `TRELLO_TOKEN` are consistently passed as query parameters in the `curl` command examples. While this is a functional method for the Trello API, it is generally less secure than using HTTP headers for sensitive tokens. Query parameters can be logged in plain text by web servers, proxy servers, network monitoring tools, and browser history, increasing the risk of credential exposure. The skill itself notes that these credentials provide 'full access to your Trello account'. If the Trello API supports it, prefer passing API keys and tokens via HTTP `Authorization` headers (e.g., `Authorization: OAuth <token>`) rather than URL query parameters. If query parameters are unavoidable, ensure that all systems handling these requests (proxies, logs, etc.) are configured to redact or encrypt sensitive information. | LLM | SKILL.md:21 |
Scan History
Embed Code
[](https://skillshield.io/report/7f9d7d385df0b206)
Powered by SkillShield