Trust Assessment
dataset-finder received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 0 critical, 1 high, 11 medium, and 0 low severity. Key findings include Suspicious import: requests, Potential data exfiltration: file read + network send, Unpinned Python dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Dependency Graph layer scored lowest at 37/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential data exfiltration: file read + network send Function 'uci_download' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/anisafifi/dataset-finder/scripts/dataset.py:326 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/anisafifi/dataset-finder/scripts/dataset.py:39 | |
| MEDIUM | Unpinned Python dependency version Requirement 'kaggle>=1.5.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:4 | |
| MEDIUM | Unpinned Python dependency version Requirement 'datasets>=2.14.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:7 | |
| MEDIUM | Unpinned Python dependency version Requirement 'huggingface-hub>=0.17.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:8 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pandas>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:11 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:14 | |
| MEDIUM | Unpinned Python dependency version Requirement 'beautifulsoup4>=4.12.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:15 | |
| MEDIUM | Unpinned Python dependency version Requirement 'lxml>=4.9.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:16 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pyarrow>=13.0.0 # Fast Parquet support' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:19 | |
| MEDIUM | Unpinned Python dependency version Requirement 'fastparquet>=2023.0.0 # Alternative Parquet engine' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/anisafifi/dataset-finder/scripts/requirements.txt:20 | |
| MEDIUM | Unpinned or Loosely Pinned Dependencies The `requirements.txt` file uses loose version specifiers (e.g., `>=1.5.0`) instead of exact pinning (`==1.5.0`). This can lead to unexpected behavior, compatibility issues, or the introduction of vulnerabilities if a future version of a dependency contains a bug or malicious code. While common, for security-sensitive applications, exact pinning is recommended to ensure deterministic builds and prevent supply chain attacks. Pin all dependencies to exact versions (e.g., `kaggle==1.5.0`). Use a tool like `pip-compile` or `pip freeze > requirements.txt` after verifying all dependencies to generate a fully pinned `requirements.txt`. | LLM | scripts/requirements.txt:4 |
Scan History
Embed Code
[](https://skillshield.io/report/8ea37148ac3393f1)
Powered by SkillShield