Trust Assessment
avito received a trust score of 57/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 7 findings: 0 critical, 0 high, 6 medium, and 1 low severity. Key findings include Suspicious import: requests, Insecure handling of credentials via command-line arguments, Unpinned dependency: 'requests' library.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 65/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ruslanlanket/avito/scripts/auth.py:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ruslanlanket/avito/scripts/get_balance.py:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ruslanlanket/avito/scripts/get_self.py:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ruslanlanket/avito/scripts/list_chats.py:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ruslanlanket/avito/scripts/list_items.py:1 | |
| MEDIUM | Insecure handling of credentials via command-line arguments Sensitive information such as Avito client ID, client secret, and access tokens are passed directly as command-line arguments in multiple scripts (`scripts/auth.py`, `scripts/get_balance.py`, `scripts/get_self.py`, `scripts/list_chats.py`, `scripts/list_items.py`). This practice is insecure as these credentials can be exposed in shell history, process lists (`ps aux`), or system logs, making them vulnerable to unauthorized access by other users or processes on the same system. The `SKILL.md` suggests setting credentials in the environment, but the scripts do not implement reading from environment variables. Modify all affected scripts to retrieve sensitive credentials from more secure sources, such as environment variables (e.g., `os.getenv()`), rather than command-line arguments. Ensure environment variables are not logged or exposed. Update `SKILL.md` to reflect the actual implementation. | LLM | scripts/auth.py:24 | |
| LOW | Unpinned dependency: 'requests' library The `SKILL.md` specifies `requests` as a requirement but does not pin a specific version. This can lead to supply chain risks if a future version of the library introduces vulnerabilities, breaking changes, or malicious code without explicit review. Specify a precise version for the `requests` library (e.g., `requests==2.28.1`) in a `requirements.txt` file or similar dependency management system, and update `SKILL.md` to reflect this. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/49e6ac8618e36231)
Powered by SkillShield