Trust Assessment
spec-driven-eval received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via Shell Execution of Untrusted Inputs.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on July 1, 2026 (commit 5e8b8e75). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Potential Command Injection via Shell Execution of Untrusted Inputs The skill instructs the agent to execute shell commands (e.g., node -e or python3 -c) using data extracted from untrusted PRD/spec files. If these files contain malicious payloads, it could lead to arbitrary code execution. Avoid executing shell commands with untrusted inputs. Use secure, sandboxed parsing or internal LLM arithmetic instead of invoking external interpreters directly with dynamic arguments. | LLM | SKILL.md:115 |
Scan History
Embed Code
[](https://skillshield.io/report/9e556c1bf723ce25)
Powered by SkillShield