Trust Assessment
proxy-mcp received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unrestricted `npx` command execution, Access to sensitive payment card details, Unpinned `npx` dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Access to sensitive payment card details The skill explicitly exposes and demonstrates the use of the `proxy.cards.get_sensitive` tool, which retrieves "full card number, CVV, expiry". Granting an AI agent access to this tool creates a critical data exfiltration risk, as a compromised or manipulated agent could expose sensitive financial information, leading to unauthorized transactions or fraud. This represents an excessive permission for an AI agent. Re-evaluate the necessity of exposing `proxy.cards.get_sensitive` to the AI agent. If absolutely required, implement robust human-in-the-loop approval, strict access controls, and strong auditing for any calls to this sensitive tool. Consider using masked card details or tokenization where possible, and only expose full details to highly secure, audited systems, not directly to an AI agent. | LLM | SKILL.md:40 | |
| HIGH | Unrestricted `npx` command execution The skill configuration suggests using `npx proxy-mcp-server` which allows the AI agent to execute an arbitrary Node.js package from npm. This presents a significant command injection risk, as a malicious or compromised `proxy-mcp-server` package could execute arbitrary code on the host system. The `-y` flag bypasses user confirmation for installation, increasing the risk of silent execution of untrusted code. Implement strict whitelisting for executable commands and arguments. Ensure `npx` is run in a highly sandboxed environment with minimal permissions. Consider using a pre-installed, version-pinned package instead of `npx` for production environments to reduce dynamic dependency resolution risks. | LLM | SKILL.md:12 | |
| MEDIUM | Unpinned `npx` dependency The `npx proxy-mcp-server` command does not specify a version, which means it will always download and execute the latest available version of the `proxy-mcp-server` package. This introduces a supply chain risk, as a malicious update to the package could be automatically executed without explicit approval or review, potentially leading to command injection or other compromises. Pin the version of `proxy-mcp-server` (e.g., `npx -y proxy-mcp-server@1.2.3`) to ensure deterministic and reviewed execution. Implement a process for vetting and updating dependencies. | LLM | SKILL.md:12 | |
| MEDIUM | Agent token exposed to external process/network The skill requires the `PROXY_AGENT_TOKEN` to be passed either as an environment variable to an `npx` command or directly in an HTTP Authorization header. While these are common methods for passing credentials, it means the token is exposed to the `proxy-mcp-server` process or potentially over the network. A compromised `proxy-mcp-server` or a manipulated AI agent could harvest this token, leading to unauthorized access to the user's Proxy account. Implement secure credential management practices. Avoid hardcoding tokens. Ensure the environment where the `npx` command runs is highly secure and isolated. Consider using short-lived tokens or more granular access controls if available. Educate users on the risks associated with exposing this token. | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/92c66b0ebe018ee5)
Powered by SkillShield