Security Audit

affaan-m/everything-claude-code:.cursor/skills/django-verification

github.com/affaan-m/everything-claude-code

AI SkillCommit db27ba1eb225

CAUTION

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

affaan-m/everything-claude-code:.cursor/skills/django-verification received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 3 medium, and 0 low severity. Key findings include Hardcoded Superuser Credentials in Test Setup, Hardcoded Database Credentials in CI Workflow Example, Hardcoded Django Secret Key in CI Workflow Example.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 24, 2026 (commit db27ba1e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

79%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings3

Severity	Finding	Layer	Location
MEDIUM	Hardcoded Superuser Credentials in Test Setup The skill includes a command to create a Django superuser with a hardcoded email ('admin@example.com') and password ('admin'). While intended for a test environment, hardcoding credentials, even for testing, is a security anti-pattern that increases the risk of accidental exposure or misuse if run in a production-like context. Avoid hardcoding credentials. For test environments, use environment variables, a dedicated test settings file, or a mechanism to generate random credentials. Ensure this command is never run in production.	LLM	SKILL.md:129
MEDIUM	Hardcoded Database Credentials in CI Workflow Example The provided GitHub Actions example workflow includes a hardcoded `DATABASE_URL` with username 'postgres' and password 'postgres'. While this is common for local CI testing, it represents a hardcoded credential within the skill's context. This practice can lead to credential exposure if the workflow configuration is not properly secured or if these values are mistakenly used in a production environment. Use GitHub Actions secrets or environment variables for sensitive information like database credentials, even in test environments.	LLM	SKILL.md:291
MEDIUM	Hardcoded Django Secret Key in CI Workflow Example The provided GitHub Actions example workflow includes a hardcoded `DJANGO_SECRET_KEY` with the value 'test-secret-key'. Django's `SECRET_KEY` is a critical security setting used for cryptographic signing. Hardcoding it, even for testing, is a security anti-pattern. If this key were to be exposed or used in a production environment, it could lead to severe security vulnerabilities. Use GitHub Actions secrets or environment variables for the `DJANGO_SECRET_KEY`. Never hardcode this value, especially not with a weak or generic string.	LLM	SKILL.md:292

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/efffab1dad34a964.svg)](https://skillshield.io/report/efffab1dad34a964)