Trust Assessment
senior-backend received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, API Load Tester allows disabling SSL verification, Database Migration Tool description implies live database interaction not present in code.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/alirezarezvani/senior-backend/scripts/api_load_tester.py:26 | |
| MEDIUM | API Load Tester allows disabling SSL verification The `api_load_tester.py` script includes an option (`verify_ssl=False`) to disable SSL certificate verification. Disabling SSL verification makes the client vulnerable to Man-in-the-Middle (MITM) attacks, allowing an attacker to intercept and tamper with communication. While this is an optional parameter, its presence and potential use (e.g., if the LLM is instructed to use it with untrusted input) introduces a security weakness. Remove the `verify_ssl` parameter and always enforce SSL verification, or at least make it `True` by default and clearly document the risks of disabling it. If absolutely necessary for specific testing scenarios, ensure its use is restricted and logged. | LLM | scripts/api_load_tester.py:100 | |
| INFO | Database Migration Tool description implies live database interaction not present in code The `SKILL.md` describes the `database_migration_tool.py` as interacting with a live database via a connection string (`--connection $DATABASE_URL`). However, the provided Python script (`scripts/database_migration_tool.py`) has all database connection and execution logic (`_connect_to_db`, `_execute_sql`, `analyze_database`) commented out. This means the current script only parses SQL files and does not connect to or modify a database. This discrepancy could lead to a misunderstanding of the tool's capabilities or introduce significant security risks if the commented-out code were to be enabled in the future without proper security review. Either update the `SKILL.md` description to accurately reflect the current script's capabilities (file-based analysis only) or, if live database interaction is intended, implement the connection and execution logic securely, ensuring proper input sanitization and least privilege principles. | LLM | scripts/database_migration_tool.py:200 |
Scan History
Embed Code
[](https://skillshield.io/report/46a2730e9f7459cb)
Powered by SkillShield