Trust Assessment
sora received a trust score of 23/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Credential harvesting, Arbitrary File Read via User-Controlled Paths.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | cli-tool/components/skills/video/sora/scripts/sora.py:51 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | cli-tool/components/skills/video/sora/scripts/sora.py:51 | |
| HIGH | Arbitrary File Read via User-Controlled Paths The `scripts/sora.py` skill allows reading arbitrary files from the filesystem if a malicious user provides a controlled path to the `--prompt-file` or `--input-reference` arguments. The content of these files could then be sent to the OpenAI API as part of the prompt or input, leading to data exfiltration. This grants excessive permissions to the skill. Restrict `--prompt-file` and `--input-reference` paths to a designated, isolated temporary directory (e.g., `/tmp/sora_prompts/`) or validate that paths are not absolute and do not contain directory traversal sequences (`..`). Ensure the LLM generates and manages these temporary files securely. | LLM | scripts/sora.py:50 | |
| HIGH | Arbitrary File Write via User-Controlled Output Paths The `scripts/sora.py` skill allows writing files to arbitrary locations on the filesystem if a malicious user provides a controlled path to the `--out` or `--json-out` arguments. An attacker could overwrite critical system files, create malicious scripts in executable paths (e.g., cron jobs, web server directories), or fill up disk space, leading to denial of service or command injection. This grants excessive permissions to the skill. Restrict `--out` and `--json-out` paths to a designated, isolated output directory (e.g., `/tmp/sora_output/`) or validate that paths are not absolute and do not contain directory traversal sequences (`..`). Ensure the LLM manages these output paths securely. | LLM | scripts/sora.py:126 | |
| MEDIUM | Unpinned Dependencies The `scripts/sora.py` skill relies on the `openai` (and implicitly `httpx`) Python package but does not specify a version constraint. This means that future installations or updates could pull in a new, potentially vulnerable, or breaking version of the dependency, introducing supply chain risks. Pin the `openai` dependency to a specific major.minor.patch version (e.g., `openai==1.x.y`) in a `requirements.txt` or `pyproject.toml` file, and ensure `uv` uses this file for dependency resolution. Regularly review and update pinned versions. | LLM | scripts/sora.py:150 |
Scan History
Embed Code
[](https://skillshield.io/report/78eb39968737f351)
Powered by SkillShield