Trust Assessment
oracle received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned `npx` dependency with auto-confirmation, Skill enables broad local file transfer to external LLMs, Potential exposure of secrets via command-line arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned `npx` dependency with auto-confirmation The skill instructs users to execute `npx -y @steipete/oracle` without pinning a specific version of the `@steipete/oracle` package. This means that any future version of the package will be downloaded and executed. If a malicious update is published to the npm registry, users could unknowingly execute compromised code. The `-y` flag further exacerbates this by bypassing the confirmation prompt for installation, reducing user awareness of what is being installed. Pin the `npx` package to a specific, known-good version (e.g., `npx -y @steipete/oracle@1.0.0`). Alternatively, remove the `-y` flag to require user confirmation before installation, or provide instructions for installing the package globally and managing its version. | LLM | SKILL.md:26 | |
| HIGH | Skill enables broad local file transfer to external LLMs The core functionality of the `@steipete/oracle` tool is to bundle and send local files (specified by globs like `src/**`) to external LLM APIs or browser automation. While the skill explicitly warns users against attaching secrets and recommends 'just enough context,' the inherent capability to transfer potentially sensitive local files to third-party services is a high-risk operation. A user might inadvertently include sensitive data, even with the warnings. Additionally, the `oracle serve` command allows sending files to a user-controlled remote host, which could be a vector for data exfiltration if the remote host is compromised or misconfigured. Emphasize stronger warnings about sensitive data. Recommend using a `.oracleignore` file similar to `.gitignore` for explicit exclusion of sensitive files. For the `oracle serve` command, strongly advise against binding to `0.0.0.0` in production environments without strict network controls and robust authentication. | LLM | SKILL.md:1 | |
| MEDIUM | Potential exposure of secrets via command-line arguments The skill instructs users to pass sensitive information, specifically a `<secret>` token, directly as a command-line argument (`--token <secret>` or `--remote-token <secret>`) when using the `oracle serve` and client commands. Command-line arguments can be visible to other users on the system via process listings (`ps aux`) or stored in shell history files, leading to potential credential exposure. Recommend using environment variables (e.g., `ORACLE_REMOTE_TOKEN=your_secret oracle ...`) or secure configuration files for passing sensitive tokens, rather than direct command-line arguments. | LLM | SKILL.md:86 |
Scan History
Embed Code
[](https://skillshield.io/report/b163736b17779310)
Powered by SkillShield