Security Audit

developer-growth-analysis

github.com/skillcreatorai/Ai-Agent-Skills

AI SkillCommit 6195a031c29c

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

developer-growth-analysis received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Sensitive Local Chat History Exfiltrated to External Service.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit 6195a031). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Sensitive Local Chat History Exfiltrated to External Service The skill explicitly instructs the LLM to read the user's local Claude chat history from `~/.claude/history.jsonl`. This file can contain highly sensitive information, including user messages, project details, and `pastedContents` (which may include code, API keys, or other confidential data). The skill then analyzes this data and sends a 'complete report' derived from it to the user's Slack DMs using `Rube MCP`. While intended for the user's own DMs, this constitutes an external transfer of potentially sensitive local data, posing a risk if the Slack integration or the `Rube MCP` tool is compromised, or if the user's Slack account is not adequately secured. This is a direct instruction for data exfiltration. 1. Data Minimization: Strictly filter the data read from `history.jsonl` to only include necessary fields, excluding highly sensitive `pastedContents` unless explicitly required and consented to. 2. Redaction/Anonymization: Implement robust redaction or anonymization techniques for any sensitive data before it is included in the report or sent externally. 3. Explicit User Consent: Clearly inform the user about the specific types of data being accessed and the external services (Slack) to which derived information will be sent, requiring explicit consent. 4. Secure Communication: Ensure the `Rube MCP` tool uses secure, encrypted channels for all external communications and that Slack integration follows best practices for OAuth and token management. 5. Local-Only Option: Provide an option for users to generate and view the report locally without sending it to an external service.	LLM	SKILL.md:56

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/6983be5f6ea9b45a.svg)](https://skillshield.io/report/6983be5f6ea9b45a)