Security Audit

javascript-testing-patterns

github.com/wshobson/agents

AI SkillCommit 5d65aa10638b

100

TRUSTED

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

javascript-testing-patterns received a trust score of 100/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 0 medium, and 0 low severity. Key findings include Example uses environment variables for sensitive data, Example uses hardcoded test database credentials.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit 5d65aa10). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
INFO	Example uses environment variables for sensitive data The skill demonstrates accessing sensitive information (SMTP credentials) via `process.env`. While this is a standard practice for configuration, direct exposure or logging of these variables in a production environment could lead to credential harvesting or data exfiltration. The skill itself is not performing these actions, but an agent implementing this pattern should be aware of the security implications. Ensure that environment variables containing sensitive data are properly secured and never logged or exposed in production environments. Consider using secret management services.	Unknown	SKILL.md:199
INFO	Example uses hardcoded test database credentials The skill provides an integration test example with hardcoded database credentials (`test_db`, `test_user`, `test_password`). While acceptable for a local test environment, hardcoding credentials in production code is a severe security risk, leading to credential harvesting if exposed. The skill itself is not performing these actions, but an agent implementing this pattern should be aware of the security implications. Never hardcode production database credentials. Use environment variables, secret management services, or secure configuration files for sensitive connection details.	Unknown	SKILL.md:449

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3ff4486286600ada.svg)](https://skillshield.io/report/3ff4486286600ada)