Trust Assessment
bing_search received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Insecure SSL/TLS Configuration (MITM Vulnerability), Proxy Configuration via Environment Variables with Insecure SSL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Insecure SSL/TLS Configuration (MITM Vulnerability) The skill explicitly disables SSL/TLS certificate verification by setting `ctx.check_hostname = False` and `ctx.verify_mode = ssl.CERT_NONE`. This makes all HTTPS connections vulnerable to Man-in-the-Middle (MITM) attacks, allowing an attacker to intercept, read, and potentially modify sensitive data (such as search queries and results) without detection. This is a critical security flaw that can lead to data exfiltration and compromise the integrity of communications. Remove or comment out `ctx.check_hostname = False` and `ctx.verify_mode = ssl.CERT_NONE`. Ensure that SSL/TLS certificate verification is enabled by default or explicitly set to `ssl.CERT_REQUIRED`. If specific certificates are needed, use a trusted CA bundle. | LLM | scripts/search.py:13 | |
| HIGH | Proxy Configuration via Environment Variables with Insecure SSL The skill retrieves proxy settings from environment variables (`ALL_PROXY` or `HTTP_PROXY`). While this is a common practice, when combined with the disabled SSL certificate verification (as identified in another finding), it significantly increases the risk of data exfiltration. If the environment variables are compromised or misconfigured to point to a malicious proxy, all network traffic (including search queries and results) could be routed through an attacker-controlled server without the client detecting any certificate anomalies, leading to potential data interception and exfiltration. The primary remediation is to fix the disabled SSL verification. Additionally, consider if proxy settings should be explicitly configured or validated, rather than solely relying on potentially untrusted environment variables, especially for sensitive operations. If environment variables must be used, ensure the environment where the skill runs is secure and trusted. | LLM | scripts/search.py:30 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/stdeson/bing-search/scripts/search.py:3 |
Scan History
Embed Code
[](https://skillshield.io/report/f5a766f524f719c3)
Powered by SkillShield