Security Audit

aws-serverless

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

aws-serverless received a trust score of 66/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 0 medium, and 2 low severity. Key findings include Broad Cross-Origin Resource Sharing (CORS) policy in API Gateway, Broad Cross-Origin Resource Sharing (CORS) policy in Lambda response.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

96%

Behavioral Risk Signals

Network Access

2 findings

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
LOW	Broad Cross-Origin Resource Sharing (CORS) policy in API Gateway The API Gateway configuration in the SAM template sets 'AllowOrigins' to '*'. This allows any domain to make cross-origin requests to the API. While common for public APIs, it can be a security risk if the API is intended to be private or restricted, potentially enabling unauthorized access or data exfiltration if other security measures are not in place. Restrict 'AllowOrigins' to specific, trusted domains if the API is not intended for public consumption. For public APIs, ensure that all endpoints are designed to be publicly accessible and do not expose sensitive data without proper authentication/authorization.	LLM	SKILL.md:50
LOW	Broad Cross-Origin Resource Sharing (CORS) policy in Lambda response The Node.js Lambda handler explicitly sets 'Access-Control-Allow-Origin' to '*' in its response headers. This allows any domain to make cross-origin requests to the API. While common for public APIs, it can be a security risk if the API is intended to be private or restricted, potentially enabling unauthorized access or data exfiltration if other security measures are not in place. Restrict 'Access-Control-Allow-Origin' to specific, trusted domains if the API is not intended for public consumption. For public APIs, ensure that all endpoints are designed to be publicly accessible and do not expose sensitive data without proper authentication/authorization.	LLM	SKILL.md:30

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/687a26cf117abdf0.svg)](https://skillshield.io/report/687a26cf117abdf0)