Trust Assessment
security-audit received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Sensitive environment variable access: $HOME, Arbitrary file write via --out argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file write via --out argument The `scripts/security_audit.sh` script accepts a `--out` argument which allows specifying an arbitrary file path to write the audit report to. This capability grants excessive permissions and can be abused to overwrite critical system files, leading to denial of service, data corruption, or as a stepping stone for privilege escalation. While the content written is the audit report itself, the ability to write to any location on the filesystem is a significant security risk. Restrict the `--out` path to a designated temporary or output directory, or enforce strict validation on the path to ensure it's within an allowed sandbox. For example, only allow writing to a subdirectory of the current working directory or a specific `/tmp` location. | LLM | scripts/security_audit.sh:25 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/virtaava/sona-security-audit/scripts/hostile_audit.py:14 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/virtaava/sona-security-audit/scripts/run_audit_json.sh:5 |
Scan History
Embed Code
[](https://skillshield.io/report/818062c05147119e)
Powered by SkillShield