Trust Assessment
Deepdub TTS received a trust score of 84/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Unpinned Python dependency version, Hardcoded trial API key and voice prompt ID, Unpinned Python dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Python dependency version Requirement 'deepdub' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/yuval-deepdub/deepdub-tts/requirements.txt:1 | |
| MEDIUM | Hardcoded trial API key and voice prompt ID The `SKILL.md` file contains hardcoded trial credentials (`DEEPDUB_API_KEY` and `DEEPDUB_VOICE_PROMPT_ID`). While noted as for 'testing only,' exposing any form of API key directly in documentation is a security risk, as it could be inadvertently used in production or scraped by automated tools. This practice increases the attack surface for credential harvesting. Remove hardcoded credentials from `SKILL.md`. Instruct users to obtain trial credentials from an external, secure source (e.g., a Deepdub website link) rather than embedding them directly in the skill package. If examples are absolutely necessary, use clearly fake, non-functional placeholders (e.g., `DEEPDUB_API_KEY=YOUR_DEEPDUB_API_KEY`). | LLM | SKILL.md:30 | |
| LOW | Unpinned Python dependency The `requirements.txt` file specifies the `deepdub` package without a version pin. This means that installing the skill could pull in any future version of the `deepdub` library, which might introduce breaking changes, new vulnerabilities, or even malicious code if the package repository is compromised. This introduces a supply chain risk. Pin the `deepdub` dependency to a specific version (e.g., `deepdub==1.2.3`) or at least a major/minor version (e.g., `deepdub~=1.2`). Use `pip freeze > requirements.txt` or `uv pip freeze > requirements.txt` to generate precise pins. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/e776cbcb4a6c2b0b)
Powered by SkillShield