Trust Assessment
cloudformation-to-pulumi received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unsafe Shell Command Construction.
The analysis covered 4 layers: dependency_graph, static_code_analysis, llm_behavioral_safety, manifest_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 8, 2026 (commit 3230a42d). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe Shell Command Construction The skill instructs the agent to construct and execute shell commands using user-provided inputs (`<stack-name>`, `<region>`, `<logical-id>`) without specifying input validation or sanitization. This exposes the agent to command injection attacks if a user provides malicious input (e.g., a stack name containing shell metacharacters like `; rm -rf /`). Instruct the agent to validate inputs against a strict allowlist (e.g., alphanumeric characters only) or use an AWS SDK (like boto3 or aws-sdk) to perform these operations programmatically, avoiding shell interpolation entirely. | Unknown | SKILL.md:56 |
Scan History
Embed Code
[](https://skillshield.io/report/0ed0a7c4d90c4a31)
Powered by SkillShield