Security Audit
secrets-management
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
secrets-management received a trust score of 28/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 2 high, 3 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Sensitive environment variable access: $GITHUB_ENV, Unmasked GitHub Secrets printed to logs.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/secrets-management/SKILL.md:71 | |
| HIGH | Unmasked GitHub Secrets printed to logs The GitHub Actions examples directly print sensitive information such as `secrets.API_KEY` (line 160), `secrets.DATABASE_URL` (line 161), and `secrets.PROD_API_KEY` (line 169) to standard output using `echo`. This exposes raw secret values in CI/CD logs, which is a data exfiltration risk if logs are compromised or accessible to unauthorized users. GitHub Actions provides `::add-mask::` to prevent this, and the skill's own best practices explicitly recommend 'Mask secrets in logs'. Modify the `echo` statements to mask the secrets, e.g., `echo "::add-mask::API Key: ${{ secrets.API_KEY }}"`. Alternatively, avoid printing sensitive information directly to logs unless absolutely necessary and properly masked. | LLM | SKILL.md:160 | |
| HIGH | Unmasked GitLab CI/CD variables printed to logs The GitLab CI/CD example directly prints `$API_KEY` (line 180) and `$DATABASE_URL` (line 181) to standard output using `echo`. This will expose the raw secret values in CI/CD logs. While GitLab CI has masked variables, the example does not explicitly show how to ensure these specific variables are masked when used in `echo` commands, leading to potential data exfiltration. The skill's own best practices explicitly recommend 'Mask secrets in logs'. Ensure that sensitive variables are configured as 'Masked' in GitLab CI/CD settings. If printing is unavoidable, use a mechanism to mask the output or avoid printing the raw value. | LLM | SKILL.md:180 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_ENV Access to sensitive environment variable '$GITHUB_ENV' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/secrets-management/SKILL.md:156 | |
| MEDIUM | Unpinned Docker image tag 'latest' used in GitLab CI The GitLab CI configuration uses `image: vault:latest`. Using the `latest` tag for Docker images is a supply chain risk because the image content can change unexpectedly, potentially introducing vulnerabilities or malicious code without explicit updates to the CI configuration. Pin the Docker image to a specific, immutable version (e.g., `vault:1.13.0`) to ensure deterministic builds and reduce supply chain risks. | LLM | SKILL.md:97 | |
| MEDIUM | Unpinned Docker image tag 'latest' used in pre-commit hook The pre-commit hook example uses `trufflesecurity/trufflehog:latest`. Using the `latest` tag for Docker images is a supply chain risk because the image content can change unexpectedly, potentially introducing vulnerabilities or malicious code without explicit updates to the script. Pin the Docker image to a specific, immutable version (e.g., `trufflesecurity/trufflehog:3.28.0`) to ensure deterministic execution and reduce supply chain risks. | LLM | SKILL.md:278 |
Scan History
Embed Code
[](https://skillshield.io/report/e1392c6325f99af1)
Powered by SkillShield