Security Audit
specstory-session-summary
github.com/specstoryai/agent-skillsTrust Assessment
specstory-session-summary received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via $ARGUMENTS.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 9454d3f2). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via $ARGUMENTS The skill instructs the agent to use the `$ARGUMENTS` variable to determine the number of sessions to process or to filter by date. While the skill describes the intended logic ('filter to today's date' or 'use the number provided'), it does not explicitly instruct the agent to sanitize or validate `$ARGUMENTS` before it might be used in shell commands (e.g., as an argument to `head`). A malicious `$ARGUMENTS` value like '5; rm -rf /' could lead to arbitrary command execution if the agent directly interpolates it into a shell command without proper sanitization or validation. Explicitly instruct the agent to sanitize and validate the `$ARGUMENTS` variable to ensure it only contains expected values (e.g., 'today' or a positive integer) before using it in any shell command. For numerical limits, consider having the agent process the output of `ls` in a safer environment (e.g., using a programming language's array slicing) rather than relying on direct shell interpolation with `head -N`. | LLM | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/6af0d6be39ecd223)
Powered by SkillShield