Trust Assessment
steamcommunity received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill requires and directly uses highly sensitive Steam session and API credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill requires and directly uses highly sensitive Steam session and API credentials The skill's documentation explicitly instructs users to provide `STEAM_API_KEY`, `STEAM_COOKIES` (including `steamLoginSecure`), and `STEAM_SESSION_ID` as environment variables. These credentials are then directly embedded into `curl` commands, granting the skill full authenticated access to the user's Steam account for inventory viewing and trade offer management. This design pattern exposes highly sensitive, long-lived session tokens and API keys to the execution environment. If the skill's execution environment is compromised, or if these values are inadvertently logged, an attacker could gain complete control over the user's Steam account, potentially leading to item theft, unauthorized trades, or other malicious activities. This represents a significant security risk due to the broad permissions granted by these credentials. 1. **Secure Credential Storage**: Advise against storing raw, long-lived credentials directly in environment variables. Explore more secure methods like a credential vault, short-lived tokens, or OAuth flows if Steam supports them for this use case. 2. **Least Privilege**: If possible, investigate if more granular API scopes or permissions can be used to limit the impact of a credential compromise. 3. **Execution Environment Hardening**: Emphasize the need for a highly sandboxed and secure execution environment for any skill handling such sensitive credentials. Ensure that command logs do not capture these values. 4. **User Education**: Clearly warn users about the critical sensitivity of these credentials and the risks associated with their exposure. | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/671b87b5cba67dce)
Powered by SkillShield