Security Audit

azure-mgmt-botservice-py

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

azure-mgmt-botservice-py received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 0 medium, and 2 low severity. Key findings include Unpinned package dependencies, Sensitive API key printed to console, Direct inclusion of client secret in code example.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

81%

Behavioral Risk Signals

Shell Execution

1 finding

Security Findings3

Severity	Finding	Layer	Location
HIGH	Sensitive API key printed to console The code snippet explicitly retrieves and prints `site.key`, which represents a Direct Line API key. Printing sensitive credentials to standard output can lead to their exposure in logs, console output, or LLM responses, posing a significant data exfiltration risk. Avoid printing sensitive keys directly. If keys are needed for further operations, pass them securely. Consider using a secrets management service (e.g., Azure Key Vault) or environment variables for sensitive data, and never log them.	LLM	SKILL.md:190
LOW	Unpinned package dependencies The `pip install` commands do not specify exact versions for `azure-mgmt-botservice` and `azure-identity`. This can lead to non-deterministic builds and potential security vulnerabilities if a future version of a dependency introduces breaking changes or malicious code. It is best practice to pin dependencies to specific versions. Pin package versions (e.g., `pip install azure-mgmt-botservice==X.Y.Z`) to ensure deterministic builds and mitigate risks from unexpected updates.	LLM	SKILL.md:8
LOW	Direct inclusion of client secret in code example The example code for creating a bot connection includes a placeholder for `client_secret` directly within the `ConnectionSettingProperties`. While this is a placeholder in the documentation, it demonstrates a pattern where sensitive credentials could be hardcoded or directly passed in code, which is a security risk. The 'Best Practices' section correctly advises using Key Vault for storing such secrets, but the example itself shows a less secure pattern. Emphasize the use of secure secret management (e.g., Azure Key Vault, environment variables) for `client_secret` and `client_id` instead of direct inclusion in code, even in examples. Update the example to retrieve these from a secure source if possible, or add a stronger warning.	LLM	SKILL.md:217

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/97607b72e93b7954.svg)](https://skillshield.io/report/97607b72e93b7954)