Trust Assessment
simmer-weather received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 0 critical, 9 high, 4 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Suspicious import: urllib.request, Unpinned external dependency 'tradejournal'.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:9 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:710 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:920 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:964 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:965 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:966 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:967 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:968 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:970 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/adlai88/simmer-weather/weather_trader.py:10 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/adlai88/simmer-weather/scripts/status.py:16 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/adlai88/simmer-weather/weather_trader.py:24 | |
| MEDIUM | Unpinned external dependency 'tradejournal' The skill attempts to import 'tradejournal' as an external package without specifying a version. If 'tradejournal' is a PyPI package, this could lead to supply chain risks where a malicious update to an unpinned dependency could compromise the skill. While there is a fallback to 'skills.tradejournal', the initial attempt to import an unpinned external package is a potential risk. If 'tradejournal' is intended to be an external PyPI package, ensure it is explicitly pinned to a known good version in a `requirements.txt` file or similar dependency management system. If it is intended to be a local skill within the 'skills' repository, consider removing the `try...except` block that attempts to import it as an external package, and only use `from skills.tradejournal import log_trade`. | LLM | weather_trader.py:28 |
Scan History
Embed Code
[](https://skillshield.io/report/5128e59b11911aba)
Powered by SkillShield