Security Audit

microsoft-azure-webjobs-extensions-authentication-events-dotnet

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

TRUSTED

Scanned about 6 hours ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

microsoft-azure-webjobs-extensions-authentication-events-dotnet received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 1 low severity. Key findings include External API call to placeholder domain with user data, Unpinned dependency in installation instructions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

91%

Behavioral Risk Signals

Network Access

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	External API call to placeholder domain with user data The skill demonstrates fetching user data from an external API at `https://api.example.com/users/{userId}`. While `api.example.com` is a placeholder, in a real-world scenario, calling an external, potentially untrusted API with user-specific identifiers (`userId`) introduces a trust boundary. A compromised or malicious external API could lead to data exfiltration (sending sensitive user data to an attacker), incorrect claims being issued (leading to privilege escalation or incorrect access), or availability issues if the external service is unreliable. The `userId` is derived from the authentication context, making it sensitive. Ensure that any external APIs called are trusted, secure, and have appropriate access controls. Implement robust input validation and output sanitization for data exchanged with external services. Consider using managed identities or other secure authentication mechanisms for API calls. Implement circuit breakers or retry policies for external dependencies. Avoid sending sensitive user data to external services unless absolutely necessary and with proper data protection measures. For production, replace `api.example.com` with a controlled and secured endpoint.	LLM	SKILL.md:60
LOW	Unpinned dependency in installation instructions The installation instructions use `dotnet add package Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents` without specifying a version. This will pull the latest stable version of the package. While this is a legitimate Microsoft package, relying on unpinned dependencies can introduce supply chain risks, as a future malicious or vulnerable update to the package could be automatically pulled into the project without explicit review, potentially introducing vulnerabilities or breaking changes. Pin dependencies to a specific version (e.g., `dotnet add package Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents --version 1.1.0`) to ensure build reproducibility and prevent unexpected changes or vulnerabilities from being introduced by new package versions. Regularly review and update dependencies.	LLM	SKILL.md:12

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3514feee62c03c79.svg)](https://skillshield.io/report/3514feee62c03c79)