Security Audit
raffle-winner-picker
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
raffle-winner-picker received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Potential for PII Data Handling and Exfiltration, Potential for Excessive Permissions for External Resources.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Potential for PII Data Handling and Exfiltration The skill is designed to access and process personally identifiable information (PII) such as names and email addresses from external sources like Google Sheets and local files (e.g., CSV, Excel). While the `SKILL.md` describes the intended functionality, it highlights a pattern where sensitive user data is handled. Without inspecting the actual skill's code, there's an inherent risk that this data, once accessed, could be mishandled, stored insecurely, or exfiltrated beyond its intended use. The skill's output example explicitly shows PII like 'Name: Sarah Johnson' and 'Email: sarah.j@email.com'. Ensure the skill's implementation adheres to strict data privacy principles. Implement robust access controls, encrypt sensitive data at rest and in transit, and clearly define data retention and deletion policies. Avoid logging PII unnecessarily. The skill should only access and process data strictly required for its functionality and provide clear transparency to users about data handling practices. | Static | SKILL.md:48 | |
| MEDIUM | Potential for Excessive Permissions for External Resources The skill's description indicates it interacts with external resources such as Google Sheets and local files. For example, it mentions 'Pick a random row from this Google Sheet' and 'Pick 3 random winners from entries.csv'. The `SKILL.md` does not specify the exact scope of permissions required for these operations. If the underlying skill implementation requests overly broad permissions (e.g., full read/write access to all Google Drive files, or unrestricted filesystem access) when only specific read access to designated files/sheets is necessary, it would constitute an excessive permission risk. Implement the skill using the principle of least privilege. Request only the minimum necessary permissions for Google Sheets API (e.g., read-only access to specific sheets) and local filesystem (e.g., read-only access to user-specified files). Clearly document the required permissions and their justification to users. | Static | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/789309f90a470afb)
Powered by SkillShield