Security Audit
address-github-comments
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
address-github-comments received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via gh CLI arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via gh CLI arguments The skill describes using `gh CLI` commands, specifically `gh pr comment <PR_NUMBER> --body "..."`. If the `<PR_NUMBER>` or other arguments (should the `--body` become user-controlled) are derived from untrusted user input and directly inserted into shell commands without proper sanitization or escaping, it could lead to command injection. An attacker could potentially inject arbitrary shell commands by crafting malicious input for these parameters, leading to unauthorized actions on the system or GitHub. Ensure all user-provided or LLM-generated arguments passed to shell commands (like `gh CLI`) are properly sanitized and escaped to prevent command injection. This typically involves quoting arguments or using a command execution mechanism that handles argument separation safely. If possible, prefer using a dedicated library or API for GitHub interactions over direct shell command execution. | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/e669ac1c9b2c2989)
Powered by SkillShield