Trust Assessment
pinterest received a trust score of 49/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.check_call(), Runtime dependency installation via subprocess.check_call.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/cyberfront-ai/pinterest/scripts/pinterest_api.py:20 | |
| HIGH | Dangerous call: subprocess.check_call() Call to 'subprocess.check_call()' detected in function '<module>'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/cyberfront-ai/pinterest/scripts/pinterest_api.py:20 | |
| MEDIUM | Runtime dependency installation via subprocess.check_call The `scripts/pinterest_api.py` script attempts to install the `httpx` library at runtime using `subprocess.check_call`. While the package name `httpx` is hardcoded, this practice introduces a supply chain risk by fetching and executing code from PyPI during skill execution. It also demonstrates the capability for arbitrary command execution, which could be exploited if the package name or other arguments were ever derived from untrusted input. Dependencies should be managed during the skill's setup phase, not dynamically at runtime. All Python dependencies should be declared in a `requirements.txt` file and installed during the skill's setup or deployment phase, not dynamically at runtime. Remove the `try...except ImportError` block that performs `subprocess.check_call`. Ensure `httpx` is a pre-installed dependency in the skill's environment. | LLM | scripts/pinterest_api.py:22 |
Scan History
Embed Code
[](https://skillshield.io/report/17628ed6f669db10)
Powered by SkillShield