Trust Assessment
weather-query received a trust score of 84/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 0 medium, and 1 low severity. Key findings include Hardcoded API Credentials and Insecure Private Key Storage Pattern, Logging of internal location ID, Use of Environment Variable for Free API Key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Hardcoded API Credentials and Insecure Private Key Storage Pattern The `lib/qweather_config.js` file contains placeholders for sensitive API credentials (`API_HOST`, `PROJECT_ID`, `CREDENTIALS_ID`) and a relative path to a private key file (`PRIVATE_KEY_PATH: "./ed25519-private.txt"`). This design encourages storing sensitive information directly within the skill's source code or in a plain text file alongside it. This is a significant security risk if these values are filled in and the code is committed to a repository, deployed without proper secrets management, or if the private key file is not adequately protected on the filesystem. The manifest's suggestion to use environment variables for these credentials (`QWEATHER_API_HOST`, etc.) indicates a conflict with the current hardcoded approach, which is less secure. 1. For API Credentials (`API_HOST`, `PROJECT_ID`, `CREDENTIALS_ID`, `DEFAULT_LOCATION`): Replace hardcoded values with references to environment variables (e.g., `process.env.QWEATHER_API_HOST`). 2. For `PRIVATE_KEY_PATH`: Do not store private keys directly in the filesystem alongside the application code, especially not in plain text. Instead, use a secure secrets management service (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) or environment variables that contain the key content directly (if size permits and security controls are in place), or ensure the path points to a highly restricted location with appropriate access controls. If a file must be used, ensure it's outside the application's deployable unit, has strict filesystem permissions, and is never committed to version control. | LLM | lib/qweather_config.js:5 | |
| LOW | Logging of internal location ID The `lib/weather_now_free.js` file logs the `location.id` to the console after a successful lookup. While `location.id` might not be a direct credential, it is internal processing data derived from user input. Logging such details to standard output can pose a minor data exfiltration risk if the skill's logs are not securely managed or are exposed. Remove or redact logging of internal IDs or sensitive user-derived data in production environments. Use a proper logging framework that allows for different log levels and secure log storage. | LLM | lib/weather_now_free.js:27 | |
| INFO | Use of Environment Variable for Free API Key The `lib/weather_now_free.js` file retrieves `QWEATHER_FREE_API_KEY` from environment variables. While using environment variables is a recommended practice for secrets management, it's important to ensure that this environment variable is securely configured in the deployment environment and not exposed through logs, process listings, or other insecure channels. This key, even for a "free" API, is a credential that could be misused if compromised. Ensure robust secrets management practices are followed for `QWEATHER_FREE_API_KEY` in all deployment environments. Avoid logging the key or exposing it in any unencrypted form. | LLM | lib/weather_now_free.js:10 |
Scan History
Embed Code
[](https://skillshield.io/report/eb825cfdf70d93e0)
Powered by SkillShield