Trust Assessment
miniflux received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include API Key Persistence to Local File.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | API Key Persistence to Local File The `save_config` function in `scripts/miniflux-cli.py` persists the provided `--api-key` argument to a local configuration file (`~/.local/share/miniflux/config.json`). While this is documented behavior for convenience, it means that if an AI agent is tricked into providing a sensitive API key (e.g., for a different service) via the `--api-key` command-line flag, that credential will be written to disk. This could lead to credential harvesting if the agent's environment is compromised or if other skills have access to this configuration file. 1. Avoid automatic persistence of CLI-provided credentials. Only persist credentials if explicitly confirmed by the user/agent, or if they are loaded from a secure source. 2. Separate transient CLI credentials from persistent configuration. If CLI flags are meant for one-time use, do not save them to the config file. 3. Add a stronger warning in documentation emphasizing that any key provided via `--api-key` will be written to disk. | LLM | scripts/miniflux-cli.py:33 |
Scan History
Embed Code
[](https://skillshield.io/report/33aaa5f5819e24a4)
Powered by SkillShield