Trust Assessment
copilot-sdk received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Potential Command Injection via Local MCP Server Configuration, Risk of Excessive Permissions leading to Command Execution via `onPermissionRequest` Hook, Potential Data Exfiltration via Environment Variables in Local MCP Server.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via Local MCP Server Configuration The skill allows configuring `mcpServers` of type `"local"`, which executes an arbitrary `command` with specified `args`, `env` variables, and `cwd`. If the `command`, `args`, `env`, or `cwd` fields can be influenced by untrusted input (e.g., user prompts or external configuration), this presents a critical command injection vulnerability, allowing arbitrary code execution on the host system. The `tools: ["*"]` option further broadens the attack surface by granting access to all tools provided by the local server. Implement strict validation and sanitization for all inputs used to construct `mcpServers` configurations, especially `command`, `args`, `env`, and `cwd`. Avoid allowing untrusted input to directly control these fields. Consider whitelisting allowed commands and arguments. Restrict `tools` to specific, necessary functions instead of `["*"]`. | LLM | SKILL.md:200 | |
| HIGH | Risk of Excessive Permissions leading to Command Execution via `onPermissionRequest` Hook The `onPermissionRequest` hook allows programmatic approval of tool calls, including `shell` commands. If this hook is implemented without sufficient validation or if its logic can be manipulated by untrusted input, it could lead to the approval and execution of arbitrary shell commands. While the example shows a safer approach (approving only `git` commands), the capability for an insecure implementation exists and is a significant risk. Ensure that `onPermissionRequest` implementations strictly validate and whitelist allowed commands and arguments. Never auto-approve `shell` commands based on untrusted input. Implement a robust approval mechanism that requires human confirmation for sensitive operations or restricts commands to a very narrow, safe set. | LLM | SKILL.md:260 | |
| MEDIUM | Potential Data Exfiltration via Environment Variables in Local MCP Server The `mcpServers` configuration for local servers includes an `env` field, allowing specific environment variables to be passed to the executed local command. If sensitive environment variables are inadvertently or maliciously passed to an untrusted local command, this creates a data exfiltration vector. Carefully review and restrict the environment variables passed via the `env` field to local MCP servers. Avoid passing sensitive credentials or system-wide environment variables. Only pass variables strictly necessary for the local command's operation, and ensure the command itself is trusted. | LLM | SKILL.md:215 | |
| LOW | Unpinned Dependencies in Installation Instructions The installation instructions for various languages (Node.js, Python, Go, .NET) recommend installing packages without specifying a version (e.g., `npm install @github/copilot-sdk`). This practice can lead to supply chain vulnerabilities if a future version of the package or its dependencies introduces malicious code or breaking changes. Update installation instructions to recommend pinning package versions (e.g., `npm install @github/copilot-sdk@1.2.3`). Encourage users to regularly review and update dependencies in a controlled manner. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/743d4242a42f5475)
Powered by SkillShield