Trust Assessment
geo-optimization received a trust score of 57/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Suspicious import: requests, Unpinned Python Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/andrewdmwalker/geo-optimization/scripts/geo-monitor.py:59 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/andrewdmwalker/geo-optimization/scripts/geo-monitor.py:56 | |
| MEDIUM | Unpinned Python Dependency The `scripts/geo-monitor.py` script uses the `requests` library without specifying a version. This introduces a supply chain risk, as a future update to `requests` could introduce vulnerabilities, breaking changes, or a compromised version could be installed if not explicitly pinned. It is best practice to pin dependencies to specific versions to ensure consistent and secure behavior. Add a `requirements.txt` file to the project root with pinned versions for all dependencies, e.g., `requests==2.31.0`. Ensure these dependencies are installed in a virtual environment. | LLM | scripts/geo-monitor.py:30 | |
| INFO | Hardcoded Absolute Path The `scripts/geo-daily-monitor.sh` script uses a hardcoded absolute path (`/Users/awalker/clawd`) for the `WORKSPACE` variable. This makes the script non-portable and prone to failure when deployed in different environments or by other users. While not a direct security vulnerability, it can lead to operational issues or unintended file access if the path exists and is writable by the script in a different context. Replace the hardcoded path with a relative path, an environment variable, or a configurable parameter to improve portability and maintainability. For example, use `WORKSPACE="$(dirname "$(dirname "$SCRIPT_DIR")")"` to refer to the project root relative to the script. | LLM | scripts/geo-daily-monitor.sh:6 |
Scan History
Embed Code
[](https://skillshield.io/report/ca2c857e6fcd3046)
Powered by SkillShield