Trust Assessment
style-transfer received a trust score of 18/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 3 high, 1 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Credential harvesting, Suspicious import: urllib.request.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/hhhh124hhhh/style-transfer/scripts/transfer.py:250 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/hhhh124hhhh/style-transfer/scripts/transfer.py:250 | |
| HIGH | Server-Side Request Forgery (SSRF) via uncontrolled source URL The `_get_image_data` function fetches image data from a user-provided URL (`--source`) using `urllib.request.urlopen` without validating the URL's scheme or host. An attacker can provide internal network URLs (e.g., `http://169.254.169.254/latest/meta-data/` for cloud metadata, or `file:///etc/passwd` if supported by the environment/urllib) to exfiltrate sensitive data from the agent's environment. The fetched content is then base64 encoded and sent to the OpenAI API, effectively exfiltrating the data. Implement strict URL validation (whitelist allowed schemes and hosts) for the `--source` argument. Consider disallowing `file://` scheme entirely. If fetching from arbitrary URLs is required, ensure the fetched content is not directly sent to a third-party API without explicit user consent, or run the fetching in an isolated, sandboxed environment. | LLM | scripts/transfer.py:155 | |
| HIGH | Path Traversal in output directory creation The `--out-dir` argument is directly used to create directories and save files without proper sanitization. An attacker can provide a path traversal sequence (e.g., `../../../../etc/`) to write files to arbitrary locations on the filesystem. This could lead to overwriting critical system files, placing malicious content in sensitive directories, or filling up disk space in unintended locations. Sanitize the `out_dir` argument to prevent path traversal. Use `os.path.abspath` and verify that the resolved path remains within an allowed, secure base directory (e.g., a dedicated temporary directory for the skill's output). Alternatively, disallow user-specified paths outside a predefined, secure temporary directory. | LLM | scripts/transfer.py:130 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/hhhh124hhhh/style-transfer/scripts/transfer.py:12 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/hhhh124hhhh/style-transfer/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/f89f6d4a0dde066b)
Powered by SkillShield