Trust Assessment
actual-budget received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 4 medium, and 0 low severity. Key findings include Potential hardcoded secret (high entropy), Unpinned Dependency in Installation Instructions, Credential Exfiltration via Malicious Server URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential Exfiltration via Malicious Server URL The skill is designed to connect to a user-specified `ACTUAL_SERVER_URL` using sensitive credentials (`ACTUAL_PASSWORD`, `ACTUAL_ENCRYPTION_PASSWORD`). If an attacker can manipulate the `ACTUAL_SERVER_URL` environment variable, the skill will transmit these highly sensitive credentials to an arbitrary, potentially malicious, server controlled by the attacker, leading to full compromise of the user's Actual Budget instance. Ensure that the `ACTUAL_SERVER_URL` environment variable is strictly validated and configured only with trusted endpoints. The execution environment should enforce strict sandboxing and prevent unauthorized modification of environment variables. Consider using a secure credential management system instead of direct environment variables for sensitive data. | LLM | SKILL.md:31 | |
| HIGH | Arbitrary File Write/Read via `ACTUAL_DATA_DIR` The skill uses `process.env.ACTUAL_DATA_DIR` to determine the local cache directory for sensitive budget data. If an attacker can control this environment variable, they could direct the skill to write or read data from arbitrary locations on the filesystem. This could lead to overwriting critical system files, exfiltrating sensitive user data from other directories, or injecting malicious data into the skill's operational context. Implement strict validation and sanitization of the `ACTUAL_DATA_DIR` environment variable. The skill's execution environment should enforce strong sandboxing, limiting file system access to only necessary, isolated directories. Avoid allowing user-controlled paths to sensitive locations. | LLM | SKILL.md:30 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.54) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/thisisjeron/actual-budget/SKILL.md:45 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.54) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/thisisjeron/actual-budget/SKILL.md:49 | |
| MEDIUM | Unpinned Dependency in Installation Instructions The installation instructions recommend installing the `@actual-app/api` package without specifying a version. This can lead to supply chain risks, as future versions might introduce breaking changes, vulnerabilities, or malicious code without explicit user consent or review. It also makes builds non-deterministic. Pin the dependency to a specific major or minor version (e.g., `npm install @actual-app/api@^X.Y.Z` or `@actual-app/api@X.Y.Z`) to ensure deterministic builds and reduce the risk of unexpected changes. | LLM | SKILL.md:10 | |
| MEDIUM | Arbitrary File Read via `NODE_EXTRA_CA_CERTS` The skill allows specifying a path to a custom CA certificate file via the `NODE_EXTRA_CA_CERTS` environment variable. If an attacker can control this variable, they could force the skill to attempt to read arbitrary files from the filesystem, potentially leading to data exfiltration of sensitive files if the underlying Node.js process has read permissions to those files. Ensure that the `NODE_EXTRA_CA_CERTS` environment variable is strictly validated to only accept paths within a designated, secure certificate store. The execution environment should enforce strong sandboxing to prevent arbitrary file access. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/7ed5ae30ac889d17)
Powered by SkillShield