Trust Assessment
pricing-test received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 4 critical, 2 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Hardcoded OpenAI API Key detected, Suspicious import: requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hexiaochun/pricing-test/SKILL.md:47 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hexiaochun/pricing-test/SKILL.md:63 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/hexiaochun/pricing-test/SKILL.md:47 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/hexiaochun/pricing-test/SKILL.md:63 | |
| HIGH | Hardcoded OpenAI API Key detected A hardcoded OpenAI API Key was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/hexiaochun/pricing-test/scripts/test_pricing.py:20 | |
| HIGH | Hardcoded API Key in Test Script The `scripts/test_pricing.py` file contains a hardcoded API key (`sk-df83fa5724454492be4dd3172d86425ecdbb9b64b143e7a3`). Hardcoding credentials, even for test environments, is a significant security risk as it can lead to exposure if the script or repository is accessed by unauthorized parties. This key is used directly in the Authorization header for network requests. Replace the hardcoded API key with an environment variable or a secure configuration management system. Ensure that test keys have minimal permissions and are rotated regularly. Avoid committing secrets directly into source control. | LLM | scripts/test_pricing.py:13 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hexiaochun/pricing-test/scripts/test_pricing.py:19 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/hexiaochun/pricing-test/scripts/test_pricing.py:13 |
Scan History
Embed Code
[](https://skillshield.io/report/ba8494588be77c4c)
Powered by SkillShield