Trust Assessment
deep-research received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include API Key sent to public tunneling service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | API Key sent to public tunneling service The provided MCP configuration example demonstrates passing a sensitive API key (`CRAFTED_API_KEY`) as an `x-api-key` header to a service hosted on `bore.pub`. `bore.pub` is a public tunneling service, and sending sensitive credentials over such a service, especially to an arbitrary endpoint, poses a significant risk of credential exposure and data exfiltration. If this configuration is implemented with a real API key, the key would be transmitted to a third-party public service, making it vulnerable to interception or logging by the tunneling provider. Avoid sending API keys or other sensitive credentials to public tunneling services like `bore.pub`. Ensure all API communication involving secrets uses secure, trusted, and private endpoints. If `bore.pub` is used for development, ensure it is not used in production and that no real credentials are ever exposed. Implement secure secret management practices, such as using environment variables, dedicated secret stores, or platform-provided secret management, instead of hardcoding or passing keys directly in arguments to public services. | LLM | SKILL.md:63 |
Scan History
Embed Code
[](https://skillshield.io/report/77d9c5237885ca3f)
Powered by SkillShield