Trust Assessment
golemedin-mcp received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Insecure credential storage example in configuration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Insecure credential storage example in configuration The example configuration for `mcpServers` in `SKILL.md` shows `GOLEMEDIN_OWNER_KEY` being set directly within the JSON `env` block. While this is a placeholder, it encourages users to hardcode sensitive API keys directly into a configuration file. This practice can lead to accidental exposure (e.g., via version control, insecure file permissions) rather than using more secure methods like environment variables managed by the host system or a dedicated secrets manager. The manifest and the 'Configuration' section correctly identify `GOLEMEDIN_OWNER_KEY` as an environment variable, suggesting environment variables are the preferred secure method. Advise users to use system-level environment variables or a secrets manager for `GOLEMEDIN_OWNER_KEY` instead of hardcoding it in configuration files. Update the example to either omit `GOLEMEDIN_OWNER_KEY` from the `env` block, or explicitly reference an environment variable if the configuration parser supports it (e.g., `"GOLEMEDIN_OWNER_KEY": "${GOLEMEDIN_OWNER_KEY}"`). | LLM | SKILL.md:23 |
Scan History
Embed Code
[](https://skillshield.io/report/e3c6688b0b991abe)
Powered by SkillShield