Trust Assessment
neon-instagres received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Exposure of .env file contents.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Exposure of .env file contents The skill instructs the agent to execute `cat .env`. This command reads the entire `.env` file, which commonly contains sensitive credentials (e.g., `DATABASE_URL`, API keys, `PUBLIC_INSTAGRES_CLAIM_URL`). Although the output is piped to `grep DATABASE_URL`, the full content of `.env` is processed by the shell and made available to the agent before filtering. This creates a significant risk of data exfiltration if the agent's internal logging or output mechanisms are compromised, or if the `grep` command fails or is bypassed. Instead of `cat .env | grep DATABASE_URL`, consider using a more targeted approach if only `DATABASE_URL` is needed. For example, `grep -q DATABASE_URL .env` can check for existence without exposing the value. If the value is required, the agent should parse the `.env` file securely without exposing its full contents, or rely on environment variables already loaded by the system. Ensure that the agent's environment strictly prevents logging or transmitting the raw output of `cat .env`. | Static | SKILL.md:20 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Broad Bash and Read permissions used for sensitive file access The skill declares `Bash` and `Read` permissions and then explicitly instructs the agent to use `cat .env`. While `Bash` is necessary for the skill's core functionality (e.g., running `npx` commands), the combination with `Read` and the specific instruction to read a sensitive file like `.env` creates a significant attack surface. An agent with these permissions could potentially be manipulated to read or execute arbitrary files/commands beyond the intended scope if user input is not rigorously sanitized, leading to unauthorized information disclosure or command execution. Review the necessity of `Read` access to arbitrary files when `Bash` is also granted. Implement strict input validation and sanitization for any user-provided arguments that might be passed to shell commands. For checking `.env` contents, prefer secure environment variable access methods over direct file reads where possible, or use tools that specifically parse `.env` files without exposing their full content to the shell. | Static | SKILL.md:20 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/0bc79db44f1b973c)
Powered by SkillShield