Security Audit

analytics-tracking

github.com/coreyhaines31/marketingskills

AI SkillCommit a04cb61a577a

TRUSTED

Scanned 4 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

analytics-tracking received a trust score of 90/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include LLM instructed to read local file for context, LLM instructed to read local tool registry and integration files.

The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 16, 2026 (commit a04cb61a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

86%

Behavioral Risk Signals

Filesystem Write

2 findings

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	LLM instructed to read local file for context The skill explicitly instructs the LLM to read the content of `.claude/product-marketing-context.md` from the local filesystem. While intended for providing context, this direct file access by an untrusted skill could lead to data exfiltration if the file contains sensitive information and the LLM is not strictly prevented from incorporating such information into its output. Avoid instructing the LLM to directly read local files. Instead, provide necessary context directly within the skill definition or through a secure, sandboxed mechanism that explicitly controls what information can be accessed and how it can be used.	Unknown	SKILL.md:8
MEDIUM	LLM instructed to read local tool registry and integration files The skill instructs the LLM to reference (read) local files such as `../../tools/REGISTRY.md` and specific tool integration guides (e.g., `../../tools/integrations/ga4.md`). This direct file access, even for 'implementation' context, poses a risk of data exfiltration if these files contain sensitive information and the LLM is not strictly prevented from incorporating such information into its output. Avoid direct LLM access to local files. Provide necessary tool information directly within the skill or via a controlled, secure mechanism that explicitly controls what information can be accessed and how it can be used.	Unknown	SKILL.md:189

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/00b87ea1f4adb00b.svg)](https://skillshield.io/report/00b87ea1f4adb00b)