Trust Assessment
reposit received a trust score of 89/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Uncontrolled `npx` execution in setup configuration, Configurable backend URL allows data redirection, Automatic sharing bypasses confirmation, increasing exfiltration risk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Uncontrolled `npx` execution in setup configuration The skill's setup instructions define an `mcpServers` configuration that uses `npx` to execute `@reposit-bot/reposit-mcp@0.3.11`. While the package version is pinned, `npx` directly executes code from npm. If the specified package or its dependencies are compromised, or if a typosquatting attack occurs, this could lead to arbitrary code execution on the host system. The `-y` flag also bypasses confirmation during installation. Consider installing the package explicitly (e.g., `npm install @reposit-bot/reposit-mcp`) and then running it, or using a more robust package integrity check. Ensure the `@reposit-bot` scope is verified. Remove `-y` if possible to require explicit confirmation. | LLM | SKILL.md:12 | |
| MEDIUM | Automatic sharing bypasses confirmation, increasing exfiltration risk The `REPOSIT_AUTO_SHARE=true` configuration bypasses the confirmation step before sharing solutions. While the skill explicitly instructs the agent to scrub sensitive data (secrets, PII, internal details) before sharing, removing the human-in-the-loop confirmation significantly increases the risk of accidental or malicious data exfiltration if the agent fails to properly sanitize content, especially under prompt injection pressure. Strongly advise against setting `REPOSIT_AUTO_SHARE=true` in production environments. If automatic sharing is required, implement robust, independent content scanning and redaction mechanisms before data is sent. | LLM | SKILL.md:83 | |
| LOW | Configurable backend URL allows data redirection The skill allows overriding the default Reposit backend URL via the `REPOSIT_URL` environment variable. While this provides flexibility, it also creates a potential vector for data exfiltration. If an attacker can manipulate this environment variable (e.g., through a prompt injection attack on the host LLM that causes it to set this variable), all data sent by the skill (queries, shared solutions, votes) could be redirected to an attacker-controlled server. The skill itself does not set this variable, but exposes the mechanism. Implement strict validation or whitelisting for `REPOSIT_URL` values if possible, or ensure the host LLM environment is hardened against environment variable manipulation. | LLM | SKILL.md:82 |
Scan History
Embed Code
[](https://skillshield.io/report/b877b560b9dacaf6)
Powered by SkillShield