Security Audit

Lint Hunter

github.com/udapy/rust-agentic-skills

AI SkillCommit 78ae406e26df

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

Lint Hunter received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via unsanitized script argument.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 78ae406e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Command Injection via unsanitized script argument The `scripts/explain_error.sh` script takes an error code as an argument (`$1`) and directly uses it in shell commands (`grep` and `rustc --explain`). If the `ERROR_CODE` argument contains shell metacharacters (e.g., `$(command)`, `&&`, `;`), an attacker could inject and execute arbitrary commands on the host system. The skill's `SKILL.md` explicitly instructs the agent to use this script with an `E0xxx` placeholder, implying the agent will pass an error code, potentially derived from untrusted `cargo check failure` output. Sanitize or validate the `ERROR_CODE` argument before using it in shell commands. For example, ensure it strictly matches the expected `E0xxx` format using regular expressions. When invoking `rustc --explain`, consider using a programming language's subprocess module with an argument list instead of a shell command string to avoid shell interpretation. If remaining in bash, strictly validate the input or use `printf %q` to quote arguments if they are passed to another shell invocation, though direct execution of `rustc` with a validated argument is safer.	Static	scripts/explain_error.sh:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/24bea2f14ec2795f.svg)](https://skillshield.io/report/24bea2f14ec2795f)