Trust Assessment
notnative received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Arbitrary Python Code Execution, Excessive Permissions via Generic Tool Call.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Python Code Execution The skill explicitly provides a `run-python` command that allows executing arbitrary Python code via the `run_python_code` MCP tool. This grants the AI agent (and potentially an attacker) the ability to execute any system command or script on the host machine where the Notnative app is running, leading to full system compromise. Remove the `run-python` capability entirely, or implement a highly restrictive sandboxed environment for Python execution that prevents access to system resources, network, and sensitive files. Ensure only a predefined, safe set of libraries and functions are available. | LLM | SKILL.md:70 | |
| HIGH | Excessive Permissions via Generic Tool Call The `call` command allows invoking any of the 86 available Notnative MCP tools with arbitrary JSON arguments. This grants the AI agent (and potentially an attacker) full, unrestricted access to the Notnative application's entire API surface, including sensitive operations like file management, web browsing, and task/event creation. This broad access significantly increases the attack surface. Implement a strict whitelist of allowed MCP tools and their permissible arguments. Avoid exposing a generic 'call any tool' mechanism. Instead, create specific, narrowly scoped wrappers for each required Notnative function. | LLM | SKILL.md:77 | |
| HIGH | Data Exfiltration and Prompt Injection via Web Access The skill exposes `web_search`, `web_browse`, and `get_youtube_transcript` tools, allowing the AI agent to access arbitrary URLs. This capability can be exploited for data exfiltration (e.g., by browsing to an attacker-controlled server with sensitive data in the URL or POST body) or for prompt injection (by fetching malicious content from a website and feeding it back to the LLM as part of its context). Restrict web access tools (`web_search`, `web_browse`, `get_youtube_transcript`) to a predefined set of trusted domains. Implement content filtering and sanitization for any data retrieved from external websites before it is processed by the LLM. Consider using a dedicated, isolated browsing environment. | LLM | SKILL.md:86 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ws' is not pinned to an exact version ('^8.19.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/k4ditano/notnative/package.json | |
| MEDIUM | Broad Note Management Permissions The skill provides extensive note management capabilities including `create_note`, `read_note`, `update_note`, `append_to_note`, `rename_note`, `move_note`, and `delete_note`. While these are core functionalities, granting an AI agent such broad control over a user's notes (which may contain sensitive information) without fine-grained access control or confirmation mechanisms could lead to data loss, unauthorized modification, or information disclosure if exploited. Implement user confirmation steps for destructive actions (e.g., `delete_note`, `update_note` that overwrites content). Consider limiting the scope of notes the AI can access or modify, or requiring explicit user approval for access to sensitive note categories. Ensure the Notnative application itself has robust input validation to prevent path traversal or code injection within note content. | LLM | SKILL.md:98 |
Scan History
Embed Code
[](https://skillshield.io/report/35b247ce989050f2)
Powered by SkillShield