Trust Assessment
osint-graph-analyzer received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Missing required field: name, Cypher Injection via Unsanitized CSV Input, Hardcoded Default Database Credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Cypher Injection via Unsanitized CSV Input The script constructs Neo4j Cypher queries using f-strings where node labels (`node_type`) and relationship types (`rel_type`) are directly interpolated from CSV file input without sanitization. A malicious CSV file could inject arbitrary Cypher statements into the database queries, leading to unauthorized data manipulation, deletion, or exfiltration within the Neo4j instance. Sanitize or validate `node_type` and `rel_type` from CSV input to ensure they only contain valid, non-malicious characters. Alternatively, use parameterized queries for labels and relationship types if the Neo4j driver supports it, or map input values to a predefined set of safe labels/types. For example, use `apoc.create.node` or `apoc.create.relationship` with parameterized inputs for dynamic labels/types. | LLM | scripts/osint-graph.py:53 | |
| HIGH | Cypher Injection via Unsanitized CSV Input The script constructs Neo4j Cypher queries using f-strings where node labels (`node_type`) and relationship types (`rel_type`) are directly interpolated from CSV file input without sanitization. A malicious CSV file could inject arbitrary Cypher statements into the database queries, leading to unauthorized data manipulation, deletion, or exfiltration within the Neo4j instance. Sanitize or validate `node_type` and `rel_type` from CSV input to ensure they only contain valid, non-malicious characters. Alternatively, use parameterized queries for labels and relationship types if the Neo4j driver supports it, or map input values to a predefined set of safe labels/types. For example, use `apoc.create.node` or `apoc.create.relationship` with parameterized inputs for dynamic labels/types. | LLM | scripts/osint-graph.py:70 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/orosha-ai/osint-graph-analyzer/SKILL.md:1 | |
| LOW | Hardcoded Default Database Credentials The script contains hardcoded default credentials (username 'neo4j', password 'password') for connecting to the Neo4j database. While this is common for local development setups and the skill explicitly states a 'Local-Only Promise', hardcoding credentials can pose a security risk if the skill is deployed in a different environment or if the default password is not changed, potentially leading to unauthorized database access. For any non-local or production deployment, replace hardcoded credentials with environment variables, a secure configuration management system, or a secrets management service. For local development, ensure users are aware of the default credentials and the importance of changing them for any sensitive data. | LLM | scripts/osint-graph.py:22 |
Scan History
Embed Code
[](https://skillshield.io/report/c5aa109aabc81d85)
Powered by SkillShield