Trust Assessment
sera-lexicon received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary file read via command-line argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file read via command-line argument The 'movie_of_the_day.py' script accepts a file path as a command-line argument and reads its content. This allows an attacker to instruct the agent to read arbitrary files from the filesystem, potentially leading to data exfiltration if the agent's output is accessible to the attacker, or unauthorized access to sensitive system files (e.g., /etc/passwd, configuration files). Restrict the skill's ability to read arbitrary files. If file input is necessary, implement strict validation to ensure only allowed file paths or types are accessed, or confine file operations to a sandboxed directory. Alternatively, redesign the skill to receive its 'history_text' directly as an argument rather than reading from a file path. | LLM | scripts/movie_of_the_day.py:59 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/wentinkjason/sera-lexicon/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/f12c7ea3297b095c)
Powered by SkillShield