Trust Assessment
gcal-pro received a trust score of 14/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 1 critical, 0 high, 8 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Suspicious import: requests, Suspicious import: socket.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Dependency Graph layer scored lowest at 58/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/bilalmohamed187-cpu/gcal-pro-calendar/scripts/gcal_auth.py:159 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/bilalmohamed187-cpu/gcal-pro-calendar/scripts/gcal_auth.py:158 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/bilalmohamed187-cpu/gcal-pro-calendar/scripts/gcal_license.py:24 | |
| MEDIUM | Unpinned Python dependency version Requirement 'google-auth>=2.23.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bilalmohamed187-cpu/gcal-pro-calendar/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'google-auth-oauthlib>=1.1.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bilalmohamed187-cpu/gcal-pro-calendar/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'google-auth-httplib2>=0.1.1' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bilalmohamed187-cpu/gcal-pro-calendar/requirements.txt:4 | |
| MEDIUM | Unpinned Python dependency version Requirement 'google-api-python-client>=2.100.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bilalmohamed187-cpu/gcal-pro-calendar/requirements.txt:5 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pytz>=2023.3' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bilalmohamed187-cpu/gcal-pro-calendar/requirements.txt:6 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dateutil>=2.8.2' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/bilalmohamed187-cpu/gcal-pro-calendar/requirements.txt:7 |
Scan History
Embed Code
[](https://skillshield.io/report/8606eef7557443a7)
Powered by SkillShield