Security Audit

gcp-cloud-run

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

TRUSTED

Scanned 1 day ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

gcp-cloud-run received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Reflected Cross-Site Scripting (XSS) in HTTP Function, Publicly Accessible Cloud Run Services/Functions by Default.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Reflected Cross-Site Scripting (XSS) in HTTP Function The example HTTP Cloud Function directly embeds user-supplied input (`req.query.name` or `req.body.name`) into the HTTP response without proper HTML encoding. If the response is rendered in a browser, an attacker could inject malicious scripts via the `name` parameter, leading to reflected Cross-Site Scripting (XSS). This could allow for session hijacking, defacement, or other client-side attacks. HTML-encode the `name` variable before embedding it in the response. For example, use a library like `lodash.escape` or a custom encoding function. If the response is intended to be plain text, explicitly set `res.setHeader('Content-Type', 'text/plain');` to prevent browser interpretation as HTML.	LLM	SKILL.md:80
INFO	Publicly Accessible Cloud Run Services/Functions by Default The deployment commands for Cloud Run services and Cloud Functions explicitly include the `--allow-unauthenticated` flag. This configuration makes the deployed services and functions publicly accessible over the internet without requiring any Google Cloud authentication. While this might be intended for public APIs, it represents a potential excessive permission if the service is meant to handle sensitive data or internal operations, potentially leading to unauthorized access or data exposure if not properly secured at the application layer. Review the security requirements for the deployed service/function. If public access is not required, remove the `--allow-unauthenticated` flag and configure appropriate IAM permissions for access control. If public access is required, ensure that the application layer implements robust authentication and authorization mechanisms to protect sensitive endpoints and data.	LLM	SKILL.md:50

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/76b4a733253da7cb.svg)](https://skillshield.io/report/76b4a733253da7cb)