Trust Assessment
half-full received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Untrusted JSON deserialization from command-line argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Untrusted JSON deserialization from command-line argument The `cmd_add` function in `scripts/log.py` directly deserializes the `args.items` command-line argument using `json.loads()`. While `json.loads` itself is generally safe from arbitrary code execution, a maliciously crafted JSON string could lead to denial-of-service (e.g., resource exhaustion from deeply nested objects) or unexpected behavior/crashes if the resulting data structure is not what the application expects. This represents a potential attack vector for data corruption or application instability. Validate the structure and content of the JSON string before deserialization, or implement robust error handling for malformed input. Consider using a schema validator for the expected JSON structure to ensure it conforms to the application's expectations. | LLM | scripts/log.py:100 |
Scan History
Embed Code
[](https://skillshield.io/report/70628b0f285a7115)
Powered by SkillShield