Trust Assessment
ble-anima-minter received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 7 findings: 0 critical, 0 high, 4 medium, and 2 low severity. Key findings include Missing required field: name, Unpinned Python dependency version, Unpinned dependencies in requirements.txt.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/penguinx01/ble-anima-minter/SKILL.md:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'aioblescan' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/penguinx01/ble-anima-minter/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'networkx' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/penguinx01/ble-anima-minter/requirements.txt:3 | |
| MEDIUM | Unpinned dependencies in requirements.txt The `requirements.txt` file specifies dependencies without pinning them to a specific version. This can lead to non-deterministic builds and introduce vulnerabilities if a new version of a dependency contains a security flaw or breaking changes. An attacker could potentially introduce malicious code into a dependency if they gain control of a package repository and release a new version. Pin dependencies to exact versions (e.g., `aioblescan==0.1.0`) or use version ranges with upper bounds (e.g., `aioblescan>=0.1.0,<0.2.0`). Regularly audit and update pinned dependencies. | LLM | requirements.txt:1 | |
| LOW | Hardcoded cryptographic salt The cryptographic salt used for hashing MAC addresses is hardcoded (`SALT = "anima2026"`). While this skill's purpose is not password hashing, in general, hardcoded salts reduce the effectiveness of hashing against precomputation attacks (like rainbow tables) if the salt becomes known. For security-critical applications, salts should be unique and randomly generated per item to enhance collision resistance and prevent precomputation attacks. For security-critical hashing, use a randomly generated, unique salt for each item. If the salt is intended to be public and fixed for this specific 'proof-of-remnant' use case, this might be acceptable, but it deviates from general cryptographic best practices. | LLM | anima_minter.py:11 | |
| LOW | Use of Python pickle for data storage The skill uses `networkx.write_gpickle` to store graph data, which internally uses Python's `pickle` module. While the current code only *writes* trusted data, `pickle` is known to be insecure against maliciously constructed data during *deserialization*. If this skill, or another component, were to later `read_gpickle` from an untrusted source, it could lead to arbitrary code execution. This is a general caution against using pickle for data that might ever be loaded from untrusted origins. For persistent storage, consider using more secure and interoperable data formats like JSON, YAML, or specialized graph databases if the data might ever be loaded from untrusted sources. If `gpickle` is strictly necessary, ensure that any deserialization only occurs from trusted, integrity-checked files. | LLM | anima_minter.py:20 | |
| INFO | Requires raw Bluetooth socket access The skill requires access to the raw Bluetooth socket (via `aioblescan.create_bt_socket`). This grants the ability to scan for nearby Bluetooth Low Energy devices and retrieve their MAC addresses. On many systems, this requires elevated privileges (e.g., root or specific capabilities like `CAP_NET_RAW`). While necessary for the skill's stated purpose, users should be aware of this significant permission requirement. Ensure users are fully aware of the elevated permissions required to run this skill. Consider adding a clear warning in the skill's documentation or during installation. | LLM | anima_minter.py:33 |
Scan History
Embed Code
[](https://skillshield.io/report/ac39ba08e60a90d1)
Powered by SkillShield