Trust Assessment
ga4 received a trust score of 49/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 3 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Suspicious import: requests, Unpinned Dependencies in Python Scripts.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 0676c56a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ga4/scripts/ga4_auth.py:41 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ga4/scripts/ga4_auth.py:39 | |
| MEDIUM | Unpinned Dependencies in Python Scripts The Python scripts `scripts/ga4_query.py` and `scripts/ga4_auth.py` specify dependencies without pinning exact versions (e.g., `google-analytics-data`, `google-auth-oauthlib`, `requests`). This practice can lead to supply chain risks, as a new version of a dependency might introduce breaking changes, vulnerabilities, or even malicious code. Without pinned versions, builds are not deterministic, and future installations could pull in compromised or incompatible packages. Pin all dependencies to exact versions (e.g., `google-analytics-data==X.Y.Z`). Use a `requirements.txt` file with `pip freeze > requirements.txt` after verifying working versions, or manually specify versions. Ensure `requests` is also listed as a dependency for `ga4_auth.py`. | Static | scripts/ga4_query.py:10 | |
| MEDIUM | Unpinned Dependencies in Python Scripts The Python scripts `scripts/ga4_query.py` and `scripts/ga4_auth.py` specify dependencies without pinning exact versions (e.g., `google-analytics-data`, `google-auth-oauthlib`, `requests`). This practice can lead to supply chain risks, as a new version of a dependency might introduce breaking changes, vulnerabilities, or even malicious code. Without pinned versions, builds are not deterministic, and future installations could pull in compromised or incompatible packages. Pin all dependencies to exact versions (e.g., `google-auth-oauthlib==X.Y.Z`). Use a `requirements.txt` file with `pip freeze > requirements.txt` after verifying working versions, or manually specify versions. Ensure `requests` is also listed as a dependency for `ga4_auth.py`. | Static | scripts/ga4_auth.py:10 |
Scan History
Embed Code
[](https://skillshield.io/report/0f70a74a22c74928)
Powered by SkillShield