Trust Assessment
scalekit-auth received a trust score of 61/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 0 high, 6 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Unpinned Dependencies in requirements.txt, Full OAuth Token Printed to Standard Output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Python dependency version Requirement 'scalekit-sdk-python' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/avinash-kamath/scalekit-agent-auth/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dotenv' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/avinash-kamath/scalekit-agent-auth/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/avinash-kamath/scalekit-agent-auth/requirements.txt:3 | |
| MEDIUM | Unpinned Dependencies in requirements.txt The `requirements.txt` file specifies dependencies without pinning them to exact versions. This can lead to supply chain risks, as a malicious update to any of these packages could be automatically installed, or breaking changes could occur. It is best practice to pin dependencies to specific versions (e.g., `package==1.2.3`) to ensure reproducibility and security. Pin all dependencies in `requirements.txt` to exact versions. For example, `scalekit-sdk-python==X.Y.Z`, `python-dotenv==A.B.C`, `requests==P.Q.R`. | LLM | requirements.txt:1 | |
| MEDIUM | Full OAuth Token Printed to Standard Output The `agent_wrapper.py` and `get_token.py` scripts print the full OAuth access token directly to standard output. While this is intended for shell integration (e.g., `TOKEN=$(...)`), it contradicts the security best practice mentioned in `SKILL.md` ('Never log tokens - use [REDACTED] in logs') and increases the risk of token exposure. If the shell environment, logs, or calling scripts are not properly secured, the full token could be inadvertently stored or leaked. Re-evaluate the necessity of printing the full token to stdout. If shell integration requires it, ensure robust warnings are in place for users about handling the output securely. For programmatic use, prefer direct function calls that return the token rather than relying on stdout parsing. Consider masking or redacting the token in any logging or error messages within these scripts. | LLM | agent_wrapper.py:49 | |
| MEDIUM | Full OAuth Token Printed to Standard Output The `agent_wrapper.py` and `get_token.py` scripts print the full OAuth access token directly to standard output. While this is intended for shell integration (e.g., `TOKEN=$(...)`), it contradicts the security best practice mentioned in `SKILL.md` ('Never log tokens - use [REDACTED] in logs') and increases the risk of token exposure. If the shell environment, logs, or calling scripts are not properly secured, the full token could be inadvertently stored or leaked. Re-evaluate the necessity of printing the full token to stdout. If shell integration requires it, ensure robust warnings are in place for users about handling the output securely. For programmatic use, prefer direct function calls that return the token rather than relying on stdout parsing. Consider masking or redacting the token in any logging or error messages within these scripts. | LLM | get_token.py:20 |
Scan History
Embed Code
[](https://skillshield.io/report/837ca925a49708c8)
Powered by SkillShield