Security Audit

fastapi-templates

github.com/wshobson/agents

AI SkillCommit 5d65aa10638b

TRUSTED

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

fastapi-templates received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Overly permissive CORS configuration, Sensitive data logging via SQLAlchemy `echo=True`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit 5d65aa10). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

2 findings

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Overly permissive CORS configuration The `CORSMiddleware` is configured with `allow_origins=[""]` and `allow_credentials=True`. This combination allows any origin to make cross-origin requests with credentials (cookies, HTTP authentication, client-side SSL certificates). In a production environment, this can lead to Cross-Site Request Forgery (CSRF) attacks or unauthorized access if not properly mitigated by other security measures (e.g., robust authentication/authorization checks on every endpoint). While acceptable for development, the skill is presented as 'production-ready', making this a significant security concern for deployment. Restrict `allow_origins` to a specific list of trusted domains in production environments. If `allow_credentials` is `True`, `allow_origins` must not be `[""]` for security reasons (browsers will block this combination). Consider using a dynamic origin list or environment variables for allowed origins.	LLM	SKILL.md:40
MEDIUM	Sensitive data logging via SQLAlchemy `echo=True` The SQLAlchemy engine is configured with `echo=True` (`create_async_engine(settings.DATABASE_URL, echo=True, future=True)`). This setting causes all SQL statements and their parameters to be logged to standard output. In a production environment, this can lead to sensitive data (e.g., user input, PII, internal system details) being exposed in application logs, which could be accessed by unauthorized individuals or systems. Set `echo=False` for production deployments. Only enable `echo=True` for debugging purposes in development environments.	LLM	SKILL.md:67

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/95389bddff5ddcab.svg)](https://skillshield.io/report/95389bddff5ddcab)