Trust Assessment
google-tasks received a trust score of 14/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 1 medium, and 2 low severity. Key findings include Arbitrary command execution, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/addozhang/google-tasks/scripts/refresh_token.js:133 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/addozhang/google-tasks/scripts/refresh_token.js:4 | |
| HIGH | Unpredictable 'googleapis' dependency version The 'package.json' specifies the 'googleapis' dependency with version '^144.0.0'. As of current public package registry data (e.g., npmjs.com), the latest stable version of 'googleapis' is significantly lower (e.g., 128.0.0). This version range ('^144.0.0' implies '>=144.0.0 <145.0.0') likely refers to a non-existent or future version. This can lead to installation failures, unpredictable dependency resolution, or a supply chain risk if a malicious package were to be published under this specific, currently non-existent version. Pin the 'googleapis' dependency to an exact, existing version (e.g., "googleapis": "128.0.0") or a known compatible range (e.g., "googleapis": "^128.0.0") after verifying compatibility. Ensure the specified version actually exists on npm. | LLM | package.json:11 | |
| MEDIUM | Unpinned npm dependency version Dependency 'google-auth-library' is not pinned to an exact version ('^9.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/addozhang/google-tasks/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/addozhang/google-tasks/package.json | |
| LOW | Unpinned 'google-auth-library' dependency The 'package.json' specifies the 'google-auth-library' dependency with a caret version range ('^9.0.0'). While common, this allows for automatic updates to minor and patch versions. This can introduce unexpected changes, potential breaking compatibility issues, or vulnerabilities if a malicious update is published within the allowed range. Pin the 'google-auth-library' dependency to an exact version (e.g., "google-auth-library": "9.10.0") to ensure deterministic builds and prevent unexpected updates. Alternatively, use a tilde range (e.g., "~9.0.0") for patch-level updates only. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/95ee19124066bdfb)
Powered by SkillShield