Trust Assessment
hybrid-search-implementation received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential SQL Injection in PostgreSQL Filter Key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 5d65aa10). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential SQL Injection in PostgreSQL Filter Key The `hybrid_search` method in `PostgresHybridSearch` constructs a `WHERE` clause by directly interpolating `key` from `filter_metadata` into the SQL string: `metadata->>'{key}'`. If `filter_metadata` is derived from untrusted user input, an attacker could inject malicious SQL fragments into the `key` name, leading to SQL injection. While the values are parameterized, the key itself is not. Sanitize or validate the `key` names from `filter_metadata` before interpolating them into the SQL query. A safer approach would be to use a whitelist of allowed metadata keys or to ensure that `key` only contains alphanumeric characters and underscores. Alternatively, if the database driver supports it, use parameterized queries for column/key names, though this is less common than for values. | LLM | SKILL.md:140 |
Scan History
Embed Code
[](https://skillshield.io/report/3b0dc8142e9e9fb4)
Powered by SkillShield