Trust Assessment
bloom received a trust score of 53/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER, Unpinned Git Repository Clone.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Git Repository Clone The skill's `execute.sh` script clones the `bloom-identity-skill` repository from GitHub without specifying a commit hash or tag. This means that any future changes to the `main` branch of `https://github.com/unicornbloom/bloom-identity-skill.git` could introduce malicious code or vulnerabilities that would be automatically downloaded and executed by the skill upon installation or update. Pin the `git clone` operation to a specific, immutable commit hash or tag (e.g., `git clone -b <tag_or_commit_hash> --depth 1 ...`). Regularly audit the pinned version for updates and security patches, and update the skill's wrapper script accordingly. | LLM | execute.sh:20 | |
| HIGH | Unpinned NPM Dependencies The `execute.sh` script performs `npm install` within the cloned repository. Without a `package-lock.json` file being strictly version-controlled and verified, or explicit version pinning for all dependencies in `package.json`, this can lead to installing different or potentially malicious versions of packages over time. This introduces a supply chain risk where a compromised dependency could lead to arbitrary code execution. Ensure the cloned repository includes a `package-lock.json` file that is committed and verified. Modify the script to use `npm ci` instead of `npm install` to ensure deterministic installations based on `package-lock.json`. Explicitly pin all dependencies in `package.json` to exact versions. | LLM | execute.sh:31 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/unicornbloom/bloom/execute.sh:14 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/unicornbloom/bloom/execute.sh:98 | |
| MEDIUM | Default JWT Secret in .env The `execute.sh` script creates a `.env` file with `JWT_SECRET=default_secret_change_me` if one doesn't exist. Using a default, well-known secret for JWTs can lead to predictable tokens, allowing attackers to forge or bypass authentication if this secret is used in a production environment without being changed. While the script implies it should be changed, its presence as a default is a security risk. Generate a strong, random secret during installation or require the user to provide one immediately. Avoid hardcoding default secrets. If a default is absolutely necessary for initial setup, ensure it's clearly communicated as insecure and requires immediate change, and ideally, prevent functionality that relies on it until it's updated. | LLM | execute.sh:47 |
Scan History
Embed Code
[](https://skillshield.io/report/0fbf82f915356ce2)
Powered by SkillShield