Security Audit
monitoring-observability
github.com/ahmedasmar/devops-claude-skillsTrust Assessment
monitoring-observability received a trust score of 61/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 4 medium, and 0 low severity. Key findings include Suspicious import: requests, Insecure handling of API keys via command-line arguments, Unpinned Python dependencies.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit b06435d5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Insecure handling of API keys via command-line arguments The `datadog_cost_analyzer.py` script accepts Datadog API and Application keys directly as command-line arguments (`--api-key`, `--app-key`). Passing sensitive credentials this way can expose them in shell history, process lists (`ps aux`), or system logs, making them vulnerable to unauthorized access. While the script itself does not exfiltrate these keys, their insecure handling on the local system poses a significant risk. Modify the script to retrieve API keys from more secure sources, such as environment variables, a dedicated configuration file with restricted permissions, or a secrets management system (e.g., AWS Secrets Manager, HashiCorp Vault). Avoid passing sensitive information directly on the command line. | Unknown | scripts/datadog_cost_analyzer.py:280 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ls0vr7zu/repo/monitoring-observability/scripts/analyze_metrics.py:15 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ls0vr7zu/repo/monitoring-observability/scripts/datadog_cost_analyzer.py:15 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-ls0vr7zu/repo/monitoring-observability/scripts/health_check_validator.py:15 | |
| MEDIUM | Unpinned Python dependencies Multiple Python scripts (`alert_quality_checker.py`, `analyze_metrics.py`, `datadog_cost_analyzer.py`, `health_check_validator.py`, `log_analyzer.py`, `slo_calculator.py`) suggest installing external libraries (e.g., `pyyaml`, `requests`, `boto3`, `tabulate`) without specifying version pins. This practice can lead to non-deterministic builds, compatibility issues, or, more critically, supply chain attacks if a new version of a dependency introduces vulnerabilities or malicious code. For example, `scripts/alert_quality_checker.py` suggests `pip install pyyaml` without a version. Create a `requirements.txt` file that lists all external dependencies with pinned versions (e.g., `requests==2.28.1`, `pyyaml==6.0.1`). Instruct users to install dependencies using `pip install -r requirements.txt` to ensure consistent and secure environments. | Unknown | scripts/alert_quality_checker.py:10 |
Scan History
Embed Code
[](https://skillshield.io/report/4456011d895a95db)
Powered by SkillShield