Security Audit
googlephotos-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
googlephotos-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill allows uploading arbitrary local files, posing data exfiltration risk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill allows uploading arbitrary local files, posing data exfiltration risk The `GOOGLEPHOTOS_UPLOAD_MEDIA` and `GOOGLEPHOTOS_BATCH_CREATE_MEDIA_ITEMS` tools explicitly accept `file_to_upload` or `files` parameters, allowing the skill to read and upload any local file accessible to the agent's execution environment. A malicious prompt could instruct the LLM to upload sensitive local files (e.g., configuration files, private keys, user data) to Google Photos, leading to unauthorized data exfiltration. Implement strict validation and sanitization of file paths provided to the skill, especially when originating from untrusted user input or LLM-generated content. Consider restricting file access to specific, whitelisted directories or requiring explicit user confirmation for sensitive file uploads. The agent should be configured with minimal necessary file system permissions. | LLM | SKILL.md:44 |
Scan History
Embed Code
[](https://skillshield.io/report/076d5741290bd0ad)
Powered by SkillShield