Trust Assessment
ga4 received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Suspicious import: requests, Unpinned Python Dependencies in Installation Instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/jdrhyne/ga4/scripts/ga4_auth.py:41 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/jdrhyne/ga4/scripts/ga4_auth.py:39 | |
| INFO | Unpinned Python Dependencies in Installation Instructions The installation instructions suggest installing Python packages without specifying exact versions (`pip install package`). This can lead to non-deterministic builds, compatibility issues, or introduce vulnerabilities if a future version of a dependency contains a security flaw. While the listed packages (`google-analytics-data`, `google-auth-oauthlib`) are widely used and generally trusted, pinning versions is a best practice for supply chain security. Pin dependency versions in installation instructions (e.g., `pip install google-analytics-data==X.Y.Z google-auth-oauthlib==A.B.C`). For production environments, consider using a `requirements.txt` file with pinned versions. | LLM | scripts/ga4_query.py:10 | |
| INFO | Unpinned Python Dependencies in Installation Instructions The installation instructions suggest installing Python packages without specifying exact versions (`pip install package`). This can lead to non-deterministic builds, compatibility issues, or introduce vulnerabilities if a future version of a dependency contains a security flaw. While the listed package (`google-auth-oauthlib`) is widely used and generally trusted, pinning versions is a best practice for supply chain security. Pin dependency versions in installation instructions (e.g., `pip install google-auth-oauthlib==A.B.C`). For production environments, consider using a `requirements.txt` file with pinned versions. | LLM | scripts/ga4_auth.py:10 |
Scan History
Embed Code
[](https://skillshield.io/report/771ca7cf30483c9d)
Powered by SkillShield