Trust Assessment
health-guardian received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Arbitrary file read and potential data exfiltration via config.json data_source, Arbitrary file read of 'readings.json' via config.json data_dir.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file read and potential data exfiltration via config.json data_source The `import_health.py` script allows the `data_source` field in `config.json` to specify an arbitrary path to a `.zip` or `.json` file. If an attacker can modify `config.json` (which is treated as untrusted input), they can instruct the agent to read any `.zip` or `.json` file on the system. The `parse_zip` function will extract and read CSVs from a specified zip, and `parse_json_export` will read and parse a specified JSON file. While the skill states 'Nothing leaves your machine,' the ability to read arbitrary files grants excessive permissions. If sensitive data is read this way, and the agent is configured to send alerts (as suggested by `alert_channel` in `config.json` and `HEARTBEAT.md` instructions), this could lead to data exfiltration by including the sensitive content in alert messages. Restrict `data_source` to a predefined, secure directory (e.g., a subdirectory within the skill's data folder or a specific, sandboxed user data directory). Validate `data_source` to ensure it does not contain path traversal characters (`..`) or point outside the allowed scope. Alternatively, only allow `data_source` to be a directory, and then use `find_latest_zip()`/`find_latest_json()` which operate on the hardcoded `HEALTH_EXPORT_PATH`. | LLM | scripts/import_health.py:197 | |
| MEDIUM | Arbitrary file read of 'readings.json' via config.json data_dir The `analyze.py` script loads `data_dir` from `config.json`. If an attacker can modify `config.json` (which is treated as untrusted input), they can set `data_dir` to an arbitrary path (e.g., `/etc`). The script will then attempt to open and `json.load` the file `readings.json` within that specified directory (e.g., `/etc/readings.json`). This grants excessive permissions by allowing the agent to attempt to read a file from an arbitrary system location, even if the filename is fixed. Ensure `data_dir` is always a subdirectory within the skill's designated data storage, or validate the path to prevent directory traversal and access to arbitrary system locations. | LLM | scripts/analyze.py:108 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/ctsolutionsdev/proactive-health/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/c95eb4e090d4ec1d)
Powered by SkillShield