Security Audit

planning-with-files

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

CAUTION

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

planning-with-files received a trust score of 52/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Dangerous tool allowed: Bash, Unsanitized user input leads to command injection in `init-session.sh`, Potential command injection via unsanitized argument in `check-complete.sh`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

63%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

2 findings

Shell Execution

4 findings

Dynamic Code

3 findings

Excessive Permissions

1 finding

Security Findings4

Severity	Finding	Layer	Location
HIGH	Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints.	Static	skills/planning-with-files/SKILL.md:1
HIGH	Unsanitized user input leads to command injection in `init-session.sh` The `scripts/init-session.sh` script takes the first argument (`$1`) and assigns it directly to `PROJECT_NAME`. This variable is then used in an `echo` statement and within an unquoted here-document (`cat > progress.md << EOF ... $PROJECT_NAME ... EOF`). If `$1` contains shell metacharacters or command substitutions (e.g., `$(evil_command)`), these will be executed when the script runs. Since the `Bash` tool is declared, an attacker could craft a malicious input to execute arbitrary commands. Sanitize or escape the `PROJECT_NAME` variable before using it in `echo` or within here-documents. For here-documents, quoting the delimiter (e.g., `cat > progress.md << 'EOF'`) prevents variable expansion, which might be appropriate if the content is static. If dynamic content is needed, explicitly escape variables or use `printf %s` for output. For the `PROJECT_NAME` variable itself, validate it against a whitelist of allowed characters or use `printf %q` if it needs to be passed to another command.	LLM	scripts/init-session.sh:7
HIGH	Broad tool access combined with command injection enables data exfiltration and credential harvesting The skill declares powerful tools such as `Bash`, `Read`, `Write`, `Edit`, `Glob`, `Grep`, `WebFetch`, and `WebSearch`. While some of these might be necessary for the skill's functionality, the identified command injection vulnerabilities in `scripts/init-session.sh` and `scripts/check-complete.sh` allow an attacker (via the LLM using the `Bash` tool) to execute arbitrary commands. This combination enables: - Data Exfiltration: Reading sensitive files (e.g., `/etc/passwd`, application data) using `Read`/`Grep` or injected `cat` commands, and then sending them to an external server using `WebFetch` or injected `curl`/`wget`. - Credential Harvesting: Reading environment variables (`printenv`), cloud provider credentials (`~/.aws/credentials`), or API keys from configuration files, and exfiltrating them. The broad `Bash` permission, when coupled with insecure script arguments, makes these attacks trivial. Address the underlying command injection vulnerabilities in `scripts/init-session.sh` and `scripts/check-complete.sh` by rigorously sanitizing or validating all user-controlled inputs. Re-evaluate if the `Bash` tool is strictly necessary for the skill's core functionality, or if its scope can be limited (e.g., by using a more restricted execution environment or by wrapping specific commands in a safer way). If `Bash` is essential, ensure all invocations and scripts are hardened against injection.	LLM	Manifest
MEDIUM	Potential command injection via unsanitized argument in `check-complete.sh` The `scripts/check-complete.sh` script assigns the first argument (`$1`) to `PLAN_FILE` using parameter expansion (`PLAN_FILE="${1:-task_plan.md}"`). While `PLAN_FILE` is consistently quoted when used in `grep` commands, if `$1` contains a command substitution (e.g., `$(evil_command)`), that command would be executed during the variable assignment. The manifest's `Stop` hook calls this script without arguments, making that specific invocation safe. However, the `Bash` tool is declared, allowing the LLM to call this script directly with a malicious argument. Validate the input `$1` to ensure it is a safe filename or path. For example, check if the file exists and is a regular file, or sanitize it to remove any shell metacharacters. If the script is only intended for internal use without arguments, remove the `$1` parameter expansion and hardcode `PLAN_FILE="task_plan.md"`.	LLM	scripts/check-complete.sh:5

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7a26ecf3d47dcd92.svg)](https://skillshield.io/report/7a26ecf3d47dcd92)