Trust Assessment
scripture-curated received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 4 findings: 0 critical, 0 high, 2 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Accesses API Key from Environment.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/snail3d/voice-devotional/skills/scripture-curated/scripts/scripture-curated.js:494 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/voice-devotional/skills/scripture-curated/SKILL.md:1 | |
| LOW | Accesses API Key from Environment The skill accesses the `BRAVE_API_KEY` from environment variables. While this is intended for legitimate use with the Brave Search API, the actual implementation of the API call (`fetchNews`) is a placeholder. Without the full implementation, it's not possible to confirm secure handling of this credential, which could lead to credential harvesting or data exfiltration if misused (e.g., logging the key, sending it to an untrusted endpoint). Ensure all API keys and sensitive credentials are handled securely. Implement robust validation and sanitization for all inputs. Verify that the `fetchNews` implementation (or the `web_search` tool) uses the `BRAVE_API_KEY` only for its intended purpose, does not log it, and communicates only with trusted endpoints over secure channels. | LLM | scripts/news-search.js:10 | |
| LOW | Accesses API Key from Environment The skill accesses the `BRAVE_API_KEY` from environment variables as part of its configuration. While this is intended for legitimate use with the Brave Search API, the actual implementation of the API call (`fetchNews` via `NewsSearch`) is a placeholder. Without the full implementation, it's not possible to confirm secure handling of this credential, which could lead to credential harvesting or data exfiltration if misused (e.g., logging the key, sending it to an untrusted endpoint). Ensure all API keys and sensitive credentials are handled securely. Implement robust validation and sanitization for all inputs. Verify that the `NewsSearch` component uses the `BRAVE_API_KEY` only for its intended purpose, does not log it, and communicates only with trusted endpoints over secure channels. | LLM | scripts/scripture-curated.js:15 |
Scan History
Embed Code
[](https://skillshield.io/report/3fa8b49b9cb9f6d9)
Powered by SkillShield