Trust Assessment
nzbget received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $USER, Credentials embedded in URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/aricus/nzbget/scripts/check_nzbget.sh:11 | |
| MEDIUM | Credentials embedded in URL The NZBGet username and password are directly embedded into the URL string used for API calls. This can lead to credential exposure if the URL is logged, printed during debugging, or if the `curl` command's output is not properly suppressed in all scenarios. Embedding credentials directly in the URL is an anti-pattern for handling sensitive information. Modify the `curl` command to use the `-u` option for authentication (e.g., `curl -u "${USER}:${PASS}" ...`) instead of embedding credentials directly in the URL. This prevents the credentials from appearing in the URL string itself, significantly reducing exposure risk. | LLM | scripts/check_nzbget.sh:14 |
Scan History
Embed Code
[](https://skillshield.io/report/9e0fb31887fb4cad)
Powered by SkillShield