Security Audit
Sounder25/Google-Antigravity-Skills-Library:05_update_breadcrumbs
github.com/Sounder25/Google-Antigravity-Skills-LibraryTrust Assessment
Sounder25/Google-Antigravity-Skills-Library:05_update_breadcrumbs received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via PowerShell script inputs.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 28, 2026 (commit 09376edc). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via PowerShell script inputs The skill description indicates that its implementation relies on a PowerShell script (`update_breadcrumbs.ps1`) which processes user-provided string inputs (`--status`, `--objective`, `--next-steps`, `--blockers`). If these inputs are not properly sanitized or escaped before being used within the PowerShell script (e.g., in file writing operations or other command executions), a malicious actor could inject arbitrary commands for execution, leading to command injection. Implement robust input sanitization and escaping for all user-provided parameters (`--status`, `--objective`, `--next-steps`, `--blockers`) within `update_breadcrumbs.ps1` before using them in any command execution or file writing operations. Consider using PowerShell's built-in parameter validation and safe string handling functions to prevent injection. | Static | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/760d6b3197a7518a)
Powered by SkillShield