Trust Assessment
weather received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via `curl` arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `curl` arguments The skill demonstrates the use of `curl` to fetch weather data. The examples in `SKILL.md` show `curl` commands where parts of the URL, such as the location (e.g., 'London'), are highly likely to be derived from user input. If user-provided input is directly interpolated into the `curl` command string without proper sanitization (e.g., escaping shell metacharacters or using a safe command execution method), a malicious user could inject arbitrary shell commands. For example, providing input like `London?format=3; $(evil_command)` could lead to the execution of `evil_command` on the host system. Ensure all user-provided inputs used in `curl` commands are strictly validated and properly sanitized/escaped to prevent shell metacharacters from being interpreted as commands. It is recommended to use a library or function that safely constructs command-line arguments, or to explicitly escape all potentially dangerous characters in user input before passing it to `curl`. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/4fcb52a4caceddad)
Powered by SkillShield