Trust Assessment
morning received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Skill requires direct API key secret for authentication.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Skill requires direct API key secret for authentication The skill's authentication mechanism explicitly requires the `apiKeySecret` to be provided directly as an input parameter for the `getToken` action. While the skill's guardrails mention "Never log or echo `apiKeySecret` or JWTs back to the user", the direct handling of this sensitive credential by the skill increases the risk of exposure if the skill's implementation or the underlying API interaction has vulnerabilities, or if the LLM itself is compromised and misuses this input. This pattern makes the skill a target for credential harvesting if not implemented with extreme care. Implement robust secret management practices within the skill. Ensure the `apiKeySecret` is handled securely, not stored persistently, and only used for its intended purpose. Consider using environment variables or a secure vault for secrets rather than direct input if possible. Ensure the LLM is instructed to pass this securely and not log it in conversational history. | LLM | SKILL.md:34 |
Scan History
Embed Code
[](https://skillshield.io/report/dbbe65273c2bb955)
Powered by SkillShield