Trust Assessment
opensoul received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Missing required field: name, Potential unencrypted sensitive data logged to public blockchain, Use of `--break-system-packages` in installation instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/mastergoogler/opensoul/SKILL.md:1 | |
| MEDIUM | Potential unencrypted sensitive data logged to public blockchain The OpenSoul skill is designed to log agent actions to the Bitcoin SV (BSV) blockchain, which is a public and immutable ledger. While the skill provides PGP encryption as an optional feature and strongly recommends its use for sensitive data, it does not enforce encryption. If an agent logs sensitive information (e.g., specific queries, internal states, proprietary data) to the `details` field of an `AuditLogger` entry without enabling PGP encryption, this data will be permanently exposed on the public blockchain. The `SKILL.md` explicitly states: '**Always use PGP encryption** for sensitive agent logs', indicating awareness of this risk. Ensure PGP encryption is enabled and properly configured for all `AuditLogger` instances, especially when logging any potentially sensitive information in the `details` field. Agents should be designed to classify data sensitivity and enforce encryption policies. Consider making PGP encryption mandatory for certain types of logs or providing clearer warnings within the `AuditLogger` class itself if encryption is disabled. | LLM | SKILL.md:190 | |
| LOW | Use of `--break-system-packages` in installation instructions The installation instructions for the skill recommend using `pip install --break-system-packages`. This flag can lead to conflicts with system-managed Python packages, potentially causing system instability or breaking other applications that rely on system Python. While it might resolve dependency issues in isolated environments, it is generally discouraged for global installations and introduces an unnecessary supply chain risk for the user's system environment. Remove the `--break-system-packages` flag from the installation instructions. Instead, recommend users install dependencies in a virtual environment (e.g., `python -m venv .venv && source .venv/bin/activate && pip install ...`) to isolate skill dependencies from system packages and avoid potential conflicts. | LLM | SKILL.md:68 |
Scan History
Embed Code
[](https://skillshield.io/report/03ce5681fef67d53)
Powered by SkillShield