Trust Assessment
personal-crm received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Broad access to sensitive user data and system resources, Processing of highly sensitive user data (emails, Facebook data), Potential command injection via external calendar access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad access to sensitive user data and system resources The skill explicitly requires broad permissions including access to the user's calendar, email, and local filesystem. It also mentions potential access to iMessage and Gmail for platform search. While these are stated as 'optional' or 'if granted access', the skill's core functionality relies on processing highly sensitive Personal Identifiable Information (PII) from these sources. This broad access increases the attack surface and the potential impact of a compromise. Implement granular permission requests. Clearly justify each permission. Ensure all data handling is strictly sandboxed and adheres to the principle of least privilege. Provide clear user consent flows for each data source. | LLM | Manifest:1 | |
| HIGH | Potential command injection via external calendar access The skill describes accessing Google Calendar data using a command-line tool example: `gog calendar list Birthdays --account [your-account]`. If the `[your-account]` parameter is derived from untrusted user input without proper sanitization, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system where the agent is running. This indicates the agent has the capability to execute external commands. Avoid direct shell execution with user-controlled input. If external tools must be used, ensure all parameters are strictly validated and sanitized. Prefer using dedicated APIs with proper authentication and authorization over shell commands. Implement a strict allowlist for commands and arguments. | LLM | SKILL.md:150 | |
| MEDIUM | Processing of highly sensitive user data (emails, Facebook data) The skill is designed to process highly sensitive user data, including forwarded emails (which can contain PII, financial info, etc.) and Facebook `friends.json` files (containing social graph, birthdays, etc.). While the skill claims 'All data stays local in NETWORK.md' and 'Never shared externally', the act of processing such data by an AI agent inherently carries a risk of accidental leakage, insecure storage, or malicious exfiltration if the agent's environment or implementation is compromised. The instruction to 'Forward `friends/friends.json` to your agent' directly encourages users to provide sensitive data. Implement robust data sanitization and anonymization techniques. Ensure secure, encrypted storage for all PII. Provide clear warnings to users about the risks of sharing sensitive data. Detail the specific security measures taken to prevent leakage. | LLM | SKILL.md:140 |
Scan History
Embed Code
[](https://skillshield.io/report/c4b5cde8006fa7a8)
Powered by SkillShield