Trust Assessment
hn-digest received a trust score of 13/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Credential harvesting, Suspicious import: urllib.request.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/cpojer/hn-digest/scripts/mood_image.py:72 | |
| CRITICAL | Arbitrary File Write via Unsanitized Output Path The `generate_mood_nano_banana.sh` script takes the output path (`$1`) directly from the skill invocation (which is influenced by user input) and passes it to `nano_banana_mood.py` as the `--out` argument. The Python script uses `Path(args.out).expanduser().resolve()` to determine the final write location. While `.resolve()` canonicalizes the path, it does not restrict it to a safe, sandboxed directory. An attacker can specify an arbitrary path (e.g., `/etc/passwd`, `/home/user/.ssh/authorized_keys`) to write the generated image data, leading to data corruption, denial of service, or potential privilege escalation if sensitive files are overwritten. Implement strict path validation to ensure the output path is within an allowed, sandboxed directory (e.g., a temporary directory or a subdirectory specifically created for skill outputs). Do not allow `..` or absolute paths outside the skill's designated output area. A common approach is to generate a unique filename within a secure temporary directory. | LLM | scripts/generate_mood_nano_banana.sh:4 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/cpojer/hn-digest/scripts/mood_image.py:72 | |
| HIGH | Unpinned Python Dependencies in Installation Script The `generate_mood_nano_banana.sh` script installs Python packages (`google-genai`, `pillow`) using `pip install` without specifying exact version numbers. This practice makes the skill vulnerable to supply chain attacks, where a malicious actor could publish a compromised version of one of these packages. If such a package is installed, it could lead to arbitrary code execution within the skill's environment. Pin all Python dependencies to exact versions (e.g., `google-genai==0.3.1`, `pillow==10.2.0`). Use a `requirements.txt` file with pinned versions and install with `pip install -r requirements.txt`. Regularly audit and update these pinned versions. | LLM | scripts/generate_mood_nano_banana.sh:11 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/cpojer/hn-digest/scripts/mood_image.py:7 |
Scan History
Embed Code
[](https://skillshield.io/report/e758aa4a789ac4d9)
Powered by SkillShield