Trust Assessment
recruitment received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Use of Public Tunneling Service (bore.pub) for API Endpoint with API Key, Broad Google Account Permissions Implied.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Use of Public Tunneling Service (bore.pub) for API Endpoint with API Key The skill's `mcpServers` configuration directs API communication, including the `CRAFTED_API_KEY`, to an endpoint hosted on `bore.pub`. `bore.pub` is a public tunneling service not intended for secure, production-grade API hosting. This introduces significant supply chain risks due to reliance on an untrusted third-party service for critical infrastructure. It also poses a credential handling risk as the API key is transmitted to/through this public service, increasing the attack surface for interception or compromise. Replace `bore.pub` with a dedicated, secure, and trusted API endpoint (e.g., a domain owned by `we-crafted.com` with proper TLS/SSL). Ensure API keys are transmitted over HTTPS and handled securely. Consider using environment variables or a secrets management system instead of hardcoding `CRAFTED_API_KEY` directly in configuration if this JSON is distributed. | LLM | SKILL.md:79 | |
| MEDIUM | Broad Google Account Permissions Implied The skill description states it "creates and populates" Google Sheets and drafts Gmail emails. This implies the skill requires significant write permissions to the user's Google account (Google Sheets API and Gmail API). While necessary for functionality, the scope of these permissions is not specified. Broad write access to a user's Google Sheets and Gmail could be exploited if the skill is compromised or behaves maliciously, potentially leading to data manipulation, unauthorized email sending, or data exfiltration. Clearly define and limit the scope of required Google API permissions to the absolute minimum necessary for the skill's operation (e.g., specific sheet access, draft-only email permissions). Inform users about the exact permissions requested during installation/authorization. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/fa171525ebb6d307)
Powered by SkillShield