Security Audit
conductor-revert
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
conductor-revert received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection in git log arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection in git log arguments The skill constructs `git log` commands by directly embedding user-provided values for `trackId`, `X.Y`, and `N` into the `--grep` arguments. If the LLM agent executing this skill constructs these commands using a shell-aware execution method (e.g., `subprocess.run(..., shell=True)` or direct shell execution), an attacker could inject arbitrary shell commands by crafting malicious input for `trackId`, `X.Y`, or `N`. This could lead to unauthorized data access, modification, or system compromise. Implement robust input sanitization and shell escaping for all user-provided variables (`trackId`, `X.Y`, `N`) before they are used in shell commands. Specifically, ensure that these variables are properly quoted or escaped to prevent shell metacharacters from being interpreted as commands. Prefer using array-based command execution (e.g., `subprocess.run(['git', 'log', '--grep', user_input])`) over shell-string execution. | LLM | SKILL.md:89 |
Scan History
Embed Code
[](https://skillshield.io/report/5d97d309d5711db2)
Powered by SkillShield