Security Audit
dkyazzentwatwa/chatgpt-skills:data-anonymizer
github.com/dkyazzentwatwa/chatgpt-skillsTrust Assessment
dkyazzentwatwa/chatgpt-skills:data-anonymizer received a trust score of 64/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Weak Dependency Pinning, Potential Regular Expression Denial of Service (ReDoS) via Custom Patterns.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 24, 2026 (commit d4bad335). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Regular Expression Denial of Service (ReDoS) via Custom Patterns The `add_pattern` method in `DataAnonymizer` allows adding custom regex patterns. If the AI agent constructs the `pattern` argument from untrusted user input without proper validation, a maliciously crafted regex (e.g., one with catastrophic backtracking like `(a+)+b`) could be injected. When this pattern is subsequently used to process text via `re.finditer`, it could lead to a Regular Expression Denial of Service (ReDoS) attack, consuming excessive CPU resources and potentially making the service unresponsive. The skill itself does not validate the safety or complexity of the provided regex pattern. Implement robust validation for custom regex patterns added via `add_pattern`. This could involve using a library to analyze regex complexity, limiting the types of regex constructs allowed, or ensuring that any input used to construct these patterns is thoroughly sanitized and validated by the AI agent before being passed to the skill. | Static | scripts/data_anonymizer.py:290 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pandas>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | data-anonymizer/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'faker>=18.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | data-anonymizer/scripts/requirements.txt:2 | |
| MEDIUM | Weak Dependency Pinning The `requirements.txt` file uses weak dependency pinning (`>=`) for `pandas` and `faker`. This allows for major version upgrades, which could introduce breaking changes, unexpected behavior, or, in a worst-case scenario, a malicious update if a future version of a dependency is compromised. It is recommended to pin dependencies to exact versions (`==`) or use compatible release operators (`~=`) to ensure stability and security. Pin dependencies to exact versions (e.g., `pandas==2.1.4`) or use compatible release operators (e.g., `pandas~=2.1.0`) to prevent unintended major version upgrades. | Static | scripts/requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/b61922704164b5f6)
Powered by SkillShield