Security Audit
python-development-python-scaffold
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
python-development-python-scaffold received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via User-Controlled Project Name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via User-Controlled Project Name The skill's instructions indicate that user-provided `$ARGUMENTS` will be used to determine the project name. This project name is then directly inserted into shell commands such as `uv init <project-name>` and `cd <project-name>`. Without proper sanitization or escaping of the user-supplied project name, an attacker could inject arbitrary shell commands by including shell metacharacters (e.g., `;`, `&`, `|`, `$(...)`) in the project name. Implement robust input sanitization and validation for any user-provided input (e.g., project name) before it is used in shell commands. Ensure that shell metacharacters are properly escaped or that a safe command execution mechanism is used that does not directly interpolate user input into the shell command string. | LLM | SKILL.md:36 |
Scan History
Embed Code
[](https://skillshield.io/report/b1d4e2e8ec04dd30)
Powered by SkillShield