Trust Assessment
routemesh-rpc received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include API Key Exposure via Command-Line Argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | API Key Exposure via Command-Line Argument The skill's documentation indicates that an API key (`--api-key`) can be passed directly as a command-line argument to the `routemesh_rpc.py` script. While the skill also suggests using an environment variable (`ROUTEMESH_API_KEY`), providing a command-line option for sensitive credentials is a security anti-pattern. Command-line arguments are often visible in shell history, process lists (`ps aux`), and system logs, making the API key vulnerable to exposure. Remove the `--api-key` command-line argument. Rely solely on the `ROUTEMESH_API_KEY` environment variable for providing the API key. This ensures the key is not exposed in shell history, process lists, or logs. | LLM | SKILL.md:34 |
Scan History
Embed Code
[](https://skillshield.io/report/401f49156ec9efa3)
Powered by SkillShield