Security Audit

startup-business-analyst-financial-projections

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

TRUSTED

Scanned about 3 hours ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

startup-business-analyst-financial-projections received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unused high-risk permissions declared.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
MEDIUM	Unused high-risk permissions declared The skill declares several powerful permissions (`Bash`, `WebSearch`, `WebFetch`, `Glob`, `Grep`) in its manifest (`allowed-tools`) but does not describe any explicit use cases or instructions for these tools within the `SKILL.md` body. Declaring unused, high-risk permissions increases the attack surface and potential for misuse if the skill's behavior were to be manipulated or if a vulnerability were discovered in the agent's execution environment. For example, `Bash` allows arbitrary shell command execution, and `WebSearch`/`WebFetch` enable external network requests, neither of which are justified by the skill's described financial modeling process. Remove unnecessary permissions from the `allowed-tools` declaration in the skill's manifest. Only declare permissions that are strictly required for the skill's intended functionality. Based on the skill's description, `Read`, `Write`, and `Edit` appear to be the only necessary permissions. If `WebSearch` is implicitly used for 'benchmarks', its usage should be explicitly documented.	LLM	SKILL.md

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/29f67b88023162d3.svg)](https://skillshield.io/report/29f67b88023162d3)