Trust Assessment
iterate-pr received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via unsanitized parameters in shell commands, Broad permissions granted by GitHub CLI (`gh`) for API calls and repository write access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via unsanitized parameters in shell commands The skill instructs the LLM to construct and execute shell commands that include variable parts (e.g., commit messages, PR/repo identifiers, run IDs). If the LLM populates these variables with untrusted user input or dynamically generated content without proper sanitization or escaping, an attacker could inject arbitrary shell commands. This is a direct exploit path if the LLM's implementation does not rigorously validate and escape all command arguments. The LLM implementation must ensure that all user-provided or dynamically generated inputs used in shell commands are rigorously sanitized and escaped to prevent shell metacharacter injection. For example, by quoting arguments, using specific API parameters instead of direct shell string interpolation, or validating input against a strict allow-list. | LLM | SKILL.md:89 | |
| MEDIUM | Broad permissions granted by GitHub CLI (`gh`) for API calls and repository write access The skill relies on the `gh` CLI, which, when authenticated, typically operates with the full permissions of the user's GitHub account. Specifically, the `gh api` command allows interaction with arbitrary GitHub API endpoints, potentially enabling actions beyond the skill's stated intent (e.g., data exfiltration from private repositories, repository modification, or administrative actions) if the LLM is manipulated or misinterprets instructions. Additionally, the `git push` command grants write access to the repository. While the skill's explicit instructions are limited to PR management, the underlying tools provide excessive capabilities that could be abused. Implement strict validation and allow-listing for `gh api` calls, ensuring only explicitly permitted endpoints and parameters are used. For `git push`, ensure that the LLM's decision to push is based on verified and safe changes. Consider using GitHub App tokens with fine-grained permissions instead of personal access tokens for `gh` CLI authentication where possible, to limit the scope of actions. | LLM | SKILL.md:54 |
Scan History
Embed Code
[](https://skillshield.io/report/03d7d003c2aaeff9)
Powered by SkillShield