Trust Assessment
valyu-search received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Credential Harvesting via API Key Storage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Credential Harvesting via API Key Storage The skill explicitly instructs the host LLM to ask the user for their Valyu API key and then provides a command (`scripts/valyu setup <api-key>`) to store this key persistently in a local configuration file (`~/.valyu/config.json`). While intended for legitimate use, this constitutes capturing and storing a secret. Users may not be fully aware that their API key is being saved to disk, which could pose a risk if the file is compromised. Clearly inform the user that their API key will be stored persistently on disk and specify the exact file path. Provide an option to use the API key only from an environment variable without local storage, or to explicitly confirm storage. Ensure the configuration file has appropriate permissions. | LLM | scripts/valyu.mjs:61 |
Scan History
Embed Code
[](https://skillshield.io/report/dc573e3196aae3f3)
Powered by SkillShield