Trust Assessment
onedrive received a trust score of 97/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 0 medium, and 1 low severity. Key findings include Sensitive API Key Exposed via Environment Variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| LOW | Sensitive API Key Exposed via Environment Variable The skill's examples demonstrate accessing the `MATON_API_KEY` directly from environment variables (`os.environ["MATON_API_KEY"]` in Python, `process.env.MATON_API_KEY` in JavaScript). While this is a common and declared method (as per manifest `requires.env`), storing sensitive credentials directly in environment variables can increase the risk of data exfiltration if the skill's execution environment is compromised, as the key is readily accessible in plain text within the process memory. An attacker gaining access to the execution environment could easily retrieve and misuse this key. For production environments or highly sensitive applications, consider using a secure secret management system (e.g., AWS Secrets Manager, HashiCorp Vault, Kubernetes Secrets) instead of plain environment variables. Ensure strict access controls and isolation on the skill's execution environment to prevent unauthorized access to environment variables. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/ebf8684744ecc16b)
Powered by SkillShield