Security Audit

gsc

github.com/jdrhyne/agent-skills

AI SkillCommit 0676c56a8ab1

TRUSTED

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

gsc received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include OAuth Credentials Printed to Standard Output During Setup.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit 0676c56a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	OAuth Credentials Printed to Standard Output During Setup The `gsc_auth.py` script, designed for initial OAuth setup, prints the generated Google Client ID, Client Secret, and Refresh Token directly to standard output. While this is intended for the user to manually configure their `.env` file, it exposes these sensitive credentials in plain text. If the environment where this script is executed is compromised or if standard output is logged by the agent's execution environment, these credentials could be captured, leading to unauthorized access to the user's Google Search Console data. 1. Secure Output: Instead of printing to stdout, consider writing these credentials directly to a securely configured `.env` file (if the skill's execution environment allows for secure file writing) or providing a more secure mechanism for credential transfer. 2. Warning: Add a prominent warning to the user about the sensitivity of these credentials and the importance of securing their `.env` file and execution environment. 3. Ephemeral Display: If printing is necessary, ensure the display is ephemeral and not persistently logged by the agent's environment.	Unknown	scripts/gsc_auth.py:80

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ba7e61c587de0479.svg)](https://skillshield.io/report/ba7e61c587de0479)