Trust Assessment
oss-hunter received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Direct execution of external command via subprocess.run.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/oss-hunter/bin/hunter.py:8 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_gh_command'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/oss-hunter/bin/hunter.py:8 | |
| MEDIUM | Direct execution of external command via subprocess.run The skill directly executes the `gh` (GitHub CLI) command using `subprocess.run`. While the arguments passed to `gh` are currently derived from hardcoded strings and structured API output (GitHub repository names), the use of `subprocess.run` always introduces a potential command injection vector. If arguments were to be derived from untrusted user input in a future version, or if the `gh` CLI itself had an argument parsing vulnerability, this could lead to arbitrary command execution. The `gh` CLI is a powerful tool that, if compromised or misused, could lead to unauthorized actions on the user's GitHub account. If possible, consider using a dedicated Python library for GitHub API interaction (e.g., `PyGithub`) instead of shelling out to the `gh` CLI. This provides better control over inputs and reduces reliance on external binary execution. If `gh` CLI is strictly necessary, ensure all arguments derived from external sources are rigorously validated and sanitized. Using `subprocess.run` with a list of arguments (as done here) is generally safer than `shell=True`, but vigilance is still required. | LLM | bin/hunter.py:8 | |
| LOW | Reliance on powerful external CLI tool (`gh`) with broad permissions The skill relies on the `gh` (GitHub CLI) tool, which, when authenticated, typically has broad access to the user's GitHub account. Although the current implementation only performs read-only operations (`search/repositories`, `issue list`), the underlying `gh` tool has capabilities for write operations (e.g., creating issues, pull requests, commenting, deleting repositories). This introduces an implicit excessive permission risk, as a future modification to the skill or a malicious update could leverage these broader permissions without explicit user consent for the expanded scope. Clearly document the required `gh` scopes/permissions for the skill to function. If the environment allows, restrict the `gh` token used by the agent to the minimum necessary read-only scopes (e.g., `public_repo` or more granular if available). Consider using a dedicated GitHub API client library that allows for more granular permission control at the code level, rather than relying on a broadly scoped CLI tool. | LLM | bin/hunter.py:8 |
Scan History
Embed Code
[](https://skillshield.io/report/b9cdeb9fefc6a1c7)
Powered by SkillShield