Security Audit

azure-web-pubsub-ts

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

TRUSTED

Scanned about 8 hours ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

azure-web-pubsub-ts received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependencies in installation instructions, Hardcoded credential placeholder in authentication example, Logging of sensitive access token URL.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

84%

Behavioral Risk Signals

Network Access

1 finding

Excessive Permissions

2 findings

Security Findings3

Severity	Finding	Layer	Location
MEDIUM	Hardcoded credential placeholder in authentication example The example code for `AzureKeyCredential` includes a placeholder `<access-key>` directly in the code. If a developer copies this example and replaces the placeholder with a real key without using environment variables or a secure secret management system, it could lead to hardcoded credentials being committed to source control. Although the 'Best Practices' section recommends `DefaultAzureCredential`, this specific snippet presents a risk if misused. Advise against hardcoding credentials. Emphasize using environment variables, Azure Key Vault, or other secure secret management solutions for production applications. Highlight the `DefaultAzureCredential` example as the recommended approach.	LLM	SKILL.md:33
MEDIUM	Logging of sensitive access token URL The example code explicitly logs `token.url` which contains an `access_token` in plain text. Logging sensitive tokens to standard output or application logs in a production environment can lead to data exfiltration if logs are compromised or not properly secured. Advise against logging sensitive information like access tokens. If debugging is necessary, ensure logs are securely handled and rotated, and sensitive data is masked or redacted.	LLM	SKILL.md:47
LOW	Unpinned npm dependencies in installation instructions The installation instructions use `npm install <package>` without specifying exact versions. This can lead to non-deterministic builds, compatibility issues, and potential supply chain risks if a dependency updates to a malicious or vulnerable version. While this is documentation, it sets a precedent for development practices. Recommend pinning package versions using `npm install <package>@<version>` or `npm install <package> --save-exact` in `package.json` to ensure deterministic builds and mitigate supply chain risks.	LLM	SKILL.md:9

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/39489129dc41fca1.svg)](https://skillshield.io/report/39489129dc41fca1)