Trust Assessment
web-multi-search received a trust score of 54/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 5 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Direct GitHub installation of critical dependency, Loosely pinned dependencies in requirements.txt.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct GitHub installation of critical dependency The skill explicitly instructs to install the `async-search-scraper` library directly from a GitHub URL (`git+https://github.com/soxoj/async-search-scraper.git`). This method bypasses standard package repository security checks (e.g., PyPI) and relies solely on the integrity of the GitHub repository. A compromise of the GitHub account or repository could lead to malicious code being installed without typical safeguards. While the reason for this (dependency issues) is explained, it introduces a significant supply chain risk. Package the dependency on a trusted, audited package index (e.g., PyPI) or use a vendored/audited copy. If direct GitHub installation is unavoidable, pin to a specific commit hash instead of a branch to ensure reproducibility and reduce the risk of silent updates. | LLM | SKILL.md:12 | |
| MEDIUM | Unpinned Python dependency version Requirement 'aiohttp>=3.9.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/orosha-ai/web-multi-search/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'aiohttp_socks>=0.9.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/orosha-ai/web-multi-search/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'beautifulsoup4>=4.12.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/orosha-ai/web-multi-search/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/orosha-ai/web-multi-search/requirements.txt:4 | |
| MEDIUM | Loosely pinned dependencies in requirements.txt The `requirements.txt` file uses `>=` for all specified dependencies (e.g., `aiohttp>=3.9.0`). This allows for the installation of any future version that meets the minimum requirement. While better than no pinning, this can lead to unexpected behavior, breaking changes, or the introduction of new vulnerabilities if a future version of a dependency has issues. Exact pinning (`==X.Y.Z`) or using a dependency management tool that generates a lock file (e.g., Poetry, Pipenv) is generally recommended for production environments to ensure reproducible builds and reduce supply chain risks. Pin all dependencies to exact versions (`==X.Y.Z`) in `requirements.txt` to ensure reproducible builds. Regularly audit and update dependencies to incorporate security fixes. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/393ac5e6fc05d328)
Powered by SkillShield