Trust Assessment
sonarqube-analyzer received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 3 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Missing required field: name, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/felipeoff/sonarqube-analyzer/package.json:57 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/felipeoff/sonarqube-analyzer/scripts/analyze.js:73 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/felipeoff/sonarqube-analyzer/src/api.js:6 | |
| HIGH | Weak default SonarQube authentication token The skill uses 'admin' as a default value for the `SONAR_TOKEN` environment variable if `process.env.SONAR_TOKEN` is not set. This is a highly insecure default that encourages deployment with weak credentials, potentially granting unauthorized access to the SonarQube instance. Users should be strongly advised to configure a strong, unique token. Remove the default 'admin' token. Force users to explicitly provide a `SONAR_TOKEN` environment variable or provide a secure, randomly generated default during setup. Update documentation to emphasize the importance of configuring a strong token. | LLM | src/api.js:5 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/felipeoff/sonarqube-analyzer/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'jest' is not pinned to an exact version ('^29.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/felipeoff/sonarqube-analyzer/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/felipeoff/sonarqube-analyzer/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/fd591cfd27939db8)
Powered by SkillShield