Trust Assessment
lunchtable-tcg received a trust score of 27/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 0 critical, 2 high, 6 medium, and 1 low severity. Key findings include Hardcoded Bearer Token detected, Potential hardcoded secret (high entropy), Suspicious import: requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 35/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/dexploarer/lunchtable-tcg/SKILL.md:529 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/dexploarer/lunchtable-tcg/SKILL.md:544 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.10) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/dexploarer/lunchtable-tcg/SKILL.md:26 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.10) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/dexploarer/lunchtable-tcg/SKILL.md:38 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.10) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/dexploarer/lunchtable-tcg/SKILL.md:41 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.10) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/dexploarer/lunchtable-tcg/SKILL.md:53 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/dexploarer/lunchtable-tcg/examples/basic-agent.py:33 | |
| MEDIUM | Potential Command Injection via `curl` examples The `SKILL.md` provides numerous `curl` command examples for interacting with the game API. In the `claude_code` ecosystem, an AI agent is expected to interpret this documentation and generate executable code. If the generated code directly executes these `curl` commands by substituting user-controlled input (e.g., agent name, callback URL, game IDs, card IDs, targets) into the URL or JSON body without proper validation and shell escaping, it could lead to command injection. A malicious user could craft input containing shell metacharacters, potentially executing arbitrary commands on the host system. When generating code based on these `curl` examples, ensure that all user-provided inputs are strictly validated and properly escaped for the shell environment before being passed to `curl` or any other command-line utility. A more robust approach would be to generate code that uses a dedicated HTTP client library (e.g., `requests` in Python, `fetch` in JavaScript/TypeScript) which handles parameter serialization and escaping more securely than direct shell execution. | LLM | SKILL.md:17 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/dexploarer/lunchtable-tcg/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/68cd084ead038d89)
Powered by SkillShield