Trust Assessment
frigate received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Suspicious import: requests, Arbitrary file write via unvalidated command-line argument, Insecure communication due to disabled SSL/TLS verification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file write via unvalidated command-line argument The `scripts/frigate.py` script allows an attacker to specify an arbitrary `output_path` for saving camera snapshots via the command line. This path is directly used in `open(output_path, 'wb')` without validation, enabling path traversal or overwriting of critical system files. An attacker could craft an `output_path` like `/etc/passwd` or `../../../../tmp/malicious.sh` to write content to unintended locations. Implement robust validation for the `output_path` argument. Ensure the path is normalized, does not contain path traversal sequences (e.g., `../`), and is restricted to a safe, intended directory (e.g., a temporary directory or a user-specific output folder). Consider generating a unique, safe filename within a controlled directory. | LLM | scripts/frigate.py:68 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/porygonthebot/frigate/scripts/frigate.py:19 | |
| MEDIUM | Insecure communication due to disabled SSL/TLS verification The `scripts/frigate.py` script explicitly disables SSL/TLS certificate verification for all HTTPS requests (`verify=False` and `urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)`). While this might be intended for self-signed certificates on private networks, it makes the communication vulnerable to Man-in-the-Middle (MitM) attacks, allowing an attacker to intercept, read, or alter sensitive data exchanged with the Frigate NVR. Enable SSL/TLS certificate verification. For self-signed certificates, provide the path to the trusted CA certificate bundle (e.g., `verify='/path/to/ca.pem'`) instead of disabling verification entirely. This ensures that the client only communicates with the legitimate Frigate NVR server. | LLM | scripts/frigate.py:19 |
Scan History
Embed Code
[](https://skillshield.io/report/3d305a8de7558015)
Powered by SkillShield