Security Audit

m365-agents-dotnet

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

TRUSTED

Scanned 3 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

m365-agents-dotnet received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Example appsettings.json shows direct secret placeholders, Unpinned package versions in installation instructions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

86%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Example appsettings.json shows direct secret placeholders The provided `appsettings.json` configuration example includes placeholders for `ClientSecret` and `AppClientSecret`. While these are placeholders, presenting secrets directly in configuration files, even as examples, can lead users to hardcode sensitive credentials if they copy the pattern without fully understanding secure configuration practices. Although the 'Best Practices' section advises against this, the example itself is a potential trap for less experienced developers. Modify the `appsettings.json` example to explicitly use environment variables or a secrets manager reference (e.g., `"ClientSecret": "${env:CLIENT_SECRET}"`) instead of direct placeholders for secrets. Add a prominent warning directly above or below the `appsettings.json` snippet advising against hardcoding secrets and referring to the 'Best Practices' section.	LLM	SKILL.md:30
MEDIUM	Unpinned package versions in installation instructions The `dotnet add package` commands in the 'Installation' section do not specify package versions. This means that executing these commands will always pull the latest available version of each package. This practice can introduce instability due to breaking changes, or security vulnerabilities if a future version of a dependency is compromised or contains a known exploit. It is a best practice to pin dependencies to specific, stable versions. Specify explicit, stable versions for all NuGet packages in the `dotnet add package` commands (e.g., `dotnet add package Microsoft.Agents.Hosting.AspNetCore --version 1.0.0`). Regularly update these versions after verifying compatibility and security. Alternatively, provide a `Directory.Packages.props` or `PackageReference` example with pinned versions.	LLM	SKILL.md:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/e490c962752d3998.svg)](https://skillshield.io/report/e490c962752d3998)