Trust Assessment
astropy received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Potential for Arbitrary File I/O and Remote Resource Access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential for Arbitrary File I/O and Remote Resource Access The skill documentation explicitly states that `astropy.io.fits` can "Access remote FITS files (S3, HTTP)" and provides examples of reading local FITS and table files. If the LLM, when using this skill, allows user-controlled input for file paths or URLs, it could lead to:
1. **Data Exfiltration**: Reading arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) from the execution environment.
2. **Server-Side Request Forgery (SSRF)**: Making requests to arbitrary remote endpoints, potentially targeting internal network resources or sensitive external services.
This capability, if exposed without proper input validation and sandboxing, presents a significant security risk. The LLM implementation of this skill must strictly validate and sanitize any user-provided file paths or URLs. File access should be restricted to a designated sandbox directory. For remote access, implement a whitelist of allowed domains/protocols or proxy requests through a secure service. Ensure the LLM execution environment has appropriate network and filesystem access controls and that the skill does not directly expose arbitrary file/URL input to the user. | LLM | SKILL.md:108 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned `astropy` dependency The installation instructions `uv pip install astropy` and `uv pip install astropy[all]` do not specify a version number for the `astropy` package. This can lead to non-deterministic builds, potential compatibility issues with future versions, or inadvertently pulling in new vulnerabilities introduced in later releases if a new version is released with a critical flaw. Pin the `astropy` dependency to a specific, known-good version (e.g., `uv pip install astropy==X.Y.Z`). Regularly review and update the pinned version to incorporate security fixes and new features. | LLM | SKILL.md:248 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/39516c7cb72079f2)
Powered by SkillShield