Trust Assessment
lifepath received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 1 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Hardcoded API Keys in Source Code.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Hardcoded API Keys in Source Code The `StoryGenerator` class contains hardcoded Google Gemini API keys directly within the source code. These keys are publicly visible in the provided skill package, allowing anyone to use them. This poses a severe security risk as it can lead to unauthorized API usage, potential billing abuse, and compromise of the associated Google Cloud project. Remove all hardcoded API keys from the source code. Ensure all sensitive credentials, including API keys, are loaded exclusively from secure environment variables (e.g., `process.env.GEMINI_API_KEY`) or a dedicated secrets management system. Rotate the exposed API keys immediately. | LLM | src/services/storyGenerator.js:7 | |
| MEDIUM | Unpinned npm dependency version Dependency '@fastify/cors' is not pinned to an exact version ('^9.0.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ezbreadsniper/lifepath/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/ezbreadsniper/lifepath/package.json | |
| LOW | Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for dependency versions. While common, this practice allows for automatic updates to minor or patch versions, which could potentially introduce breaking changes, vulnerabilities, or malicious code if a dependency's maintainer is compromised. For critical applications, exact version pinning is recommended. Consider pinning all dependencies to exact versions (e.g., `"axios": "1.7.9"` instead of `"axios": "^1.7.9"`). Use a dependency lock file (`package-lock.json` or `yarn.lock`) to ensure deterministic builds. Regularly audit dependencies for known vulnerabilities. | LLM | package.json:26 |
Scan History
Embed Code
[](https://skillshield.io/report/3566d45aac7be81a)
Powered by SkillShield