Trust Assessment

pinterest received a trust score of 74/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Suspicious import: requests, Direct handling and console output of sensitive API credentials, Unpinned third-party dependency `requests`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Excessive Permissions

2 findings

Security Findings3

Severity	Finding	Layer	Location
HIGH	Direct handling and console output of sensitive API credentials The `scripts/auth.py` script directly prompts the user for `CLIENT_ID` and `CLIENT_SECRET` via `input()`. It then uses these to obtain `Access Token` and `Refresh Token` from the Pinterest API. All these sensitive credentials are then printed directly to the console. This practice exposes credentials to potential harvesting by a malicious LLM prompt designed to extract information from the script's output, or to any observer of the console output. The `CLIENT_SECRET` is also base64 encoded and sent in a `Basic` Authorization header, highlighting its sensitive nature. 1. Avoid prompting for and printing sensitive credentials directly to the console in scripts intended for LLM interaction. 2. Instead, use secure environment variables or a dedicated secrets management system (e.g., `keyring`, cloud secret managers) to store and retrieve API keys and tokens. 3. If console output is unavoidable for initial setup, ensure the environment is secure and instruct users to immediately transfer tokens to a secure storage mechanism, clearing console history if possible. 4. For `CLIENT_SECRET`, consider using client-side OAuth flows where the secret is not exposed to the client, or ensure the script runs in a trusted, isolated environment.	LLM	scripts/auth.py:6
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/ruslanlanket/pinterest-pub/scripts/auth.py:2
MEDIUM	Unpinned third-party dependency `requests` The `scripts/auth.py` file imports the `requests` library without specifying a version. This means that any version of `requests` installed in the environment will be used. Future versions of `requests` could introduce breaking changes, new vulnerabilities, or unexpected behavior, potentially impacting the skill's functionality or security. 1. Pin the version of `requests` in a `requirements.txt` file (e.g., `requests==2.28.1`) to ensure deterministic builds and prevent unexpected updates. 2. Regularly review and update pinned dependencies to incorporate security patches and new features in a controlled manner.	LLM	scripts/auth.py:2

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/2270b53ae93be6a5.svg)](https://skillshield.io/report/2270b53ae93be6a5)