Trust Assessment
handling-attachments received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Custom Upload Callback for Data Exfiltration Risk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Custom Upload Callback for Data Exfiltration Risk The skill's design explicitly allows for a custom `uploadCallback` function to be provided, which is responsible for uploading encrypted files to an external storage provider (e.g., Pinata, S3). While this is intended functionality for flexible storage, a malicious or insecurely implemented `uploadCallback` could exfiltrate sensitive user data to an unauthorized endpoint, bypass encryption, or introduce other vulnerabilities during the upload process. The `SKILL.md` itself categorizes `upload-callback` as a 'HIGH' priority concern. Implement robust validation and security checks within any custom `uploadCallback` function. Ensure the `uploadCallback` only sends data to trusted, whitelisted endpoints. Provide clear security guidelines and best practices for users implementing custom `uploadCallback` functions, emphasizing data integrity and confidentiality. Consider sandboxing or restricting network access for custom callbacks if the execution environment allows. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/9bb736c7a670d15e)
Powered by SkillShield