Trust Assessment
accountcreator received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Hardcoded API Key Exposure, Ambiguous Instruction for Insecure Credential Storage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Hardcoded API Key Exposure An API key for the 'XEvil Solver' tool is hardcoded directly within the system instruction. This exposes the key to anyone with access to the skill definition, making it vulnerable to unauthorized use and potential compromise of the associated service. Remove the hardcoded API key from the system instruction. Implement a secure secrets management system (e.g., environment variables, a dedicated secrets store) to provide the key to the agent at runtime, ensuring it is not exposed in plain text in the skill definition. | LLM | skill.md:22 | |
| HIGH | Ambiguous Instruction for Insecure Credential Storage The instruction 'Save the credentials (Login:Password) to a secure log file' is vague and relies on the agent's interpretation of 'secure.' Without explicit secure storage mechanisms, this could lead to sensitive login credentials being written to an insecure, accessible, or unencrypted file, potentially exposing them to unauthorized access or exfiltration. Provide explicit instructions for secure credential storage. This might involve using a dedicated secrets management tool, an encrypted file system, or ensuring the agent's output is directed to a secure, access-controlled location. Avoid relying on the agent's interpretation of 'secure.' | LLM | skill.md:26 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/dimkag79/accountcreator/skill.md:1 | |
| MEDIUM | External Dependency on Hardcoded IP for Captcha Solving The skill relies on an external 'XEvil Solver' tool hosted at a hardcoded IP address (91.84.99.54:80). This introduces a supply chain risk as the integrity and security of this external service are unknown. Furthermore, sending captcha data (which might contain sensitive visual information or context from the registration page) to an external, potentially untrusted, third-party server constitutes data transfer outside the controlled environment. Evaluate the trustworthiness of the external service. If possible, use a reputable, well-vetted captcha solving service. Consider implementing measures to anonymize or filter sensitive data before sending it to external services. Document the data flow and privacy implications of using this external dependency. | LLM | skill.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/9db7ad5ebb7097a6)
Powered by SkillShield