Security Audit

web-quality-audit

github.com/tech-leads-club/agent-skills

AI SkillCommit f4b5c7d699b8

CAUTION

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

web-quality-audit received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Command Injection via Unsanitized Input to find command, JSON Output Injection / Malformed JSON.

The analysis covered 4 layers: dependency_graph, static_code_analysis, manifest_analysis, llm_behavioral_safety. The static_code_analysis layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit f4b5c7d6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

63%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Command Injection via Unsanitized Input to find command The `TARGET` variable, which is derived directly from user input (`$1`), is used within double quotes in a `find` command. While double quotes prevent word splitting, they do not prevent command substitution (`$()`) or backtick expansion (`` ` ``). An attacker could provide a `TARGET` value like `$(evil_command)` or `` `evil_command` `` to execute arbitrary commands on the host system with the privileges of the script. Implement strict input validation for the `TARGET` variable to ensure it only contains safe path characters and does not contain shell metacharacters or command substitutions. Alternatively, use a safer method to process files that avoids direct shell expansion of user-controlled input, such as passing the argument to a utility that does not interpret shell metacharacters.	Unknown	scripts/analyze.sh:55
MEDIUM	JSON Output Injection / Malformed JSON The script constructs JSON output by directly embedding the contents of `ISSUES` and `WARNINGS` array elements into double-quoted JSON strings without escaping JSON special characters. If any of these elements (e.g., a filename or issue description) contain characters special to JSON (such as double quotes `"`, backslashes `\`, or newlines `\n`), the resulting JSON will be malformed, potentially leading to parsing errors or unexpected behavior in downstream systems consuming this output. Escape JSON special characters (double quotes, backslashes, newlines, etc.) in the array elements before printing them. A robust solution would be to use a dedicated JSON processing tool like `jq` to construct the output, which handles proper escaping automatically.	Unknown	scripts/analyze.sh:66

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/296e7a81c0f30b04.svg)](https://skillshield.io/report/296e7a81c0f30b04)