Trust Assessment
morning-manifesto received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Broad Linear Query Exposes Sensitive Data, Unsanitized User Input Stored in Obsidian Note, Unsanitized User Input Used for Apple Reminders.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad Linear Query Exposes Sensitive Data The skill queries Linear for 'urgent issues' across 'all teams' and then sends this information to the user. This broad scope of access to potentially sensitive internal project data from all teams, combined with its direct output to the user, presents a significant data exfiltration risk. The 'all teams' scope also indicates excessive permissions. Restrict Linear query scope to specific, necessary teams or projects. Implement data sanitization or redaction before sending Linear issue details to the user. | LLM | SKILL.md:30 | |
| MEDIUM | Unsanitized User Input Stored in Obsidian Note User responses are directly appended to an Obsidian markdown file without sanitization. If this Obsidian note is later used as context for an LLM, malicious markdown or injected instructions within the user's response could lead to prompt injection, data manipulation, or other integrity issues. Sanitize user input before writing to the Obsidian note. Implement strict markdown parsing or escape special characters to prevent injection of malicious content or instructions. | LLM | SKILL.md:20 | |
| LOW | Unsanitized User Input Used for Apple Reminders User-provided 'Tasks and commitments' are used directly to create or update Apple Reminders. While Apple Reminders are not typically executable, injecting malicious or misleading content could lead to social engineering or disruption if other systems consume reminder data or if the user is misled. Sanitize user input before creating or updating Apple Reminders. Implement length limits or character restrictions for task names to prevent injection of overly long or malicious strings. | LLM | SKILL.md:34 |
Scan History
Embed Code
[](https://skillshield.io/report/1c6c9d8d8577aec7)
Powered by SkillShield