Add SafeSkill security badge (83/100 — Passes with Notes)

[OyaAIProd]

⚠️ SafeSkill Security Scan Results

Metric	Value
Overall Score	83/100 (Passes with Notes)
Code Score	97/100
Content Score	60/100
Findings	33 findings detected (5 critical)
Taint Flows	0
Files Scanned	5
Scan Duration	0.8s

Top Findings

• 🔴 critical: Accesses sensitive environment variable: MOLTGRID_API_KEY (moltgrid-mcp/src/index.ts:9)
• 🔴 critical: Accesses sensitive environment variable: MOLTGRID_API_KEY (moltgrid-mcp/src/index.ts:14)
• 🔴 critical: Data exfiltration pattern detected (data-exfil-pattern): "curl -X POST https://api.moltgrid.net/v1/heartbeat -H "X-API-Key: YOUR_API_KEY" " (heartbeat.md:124)
• 🔴 critical: Data exfiltration pattern detected (sensitive-path-ref): "~/.config" (skill.md:86)
• 🔴 critical: Data exfiltration pattern detected (sensitive-path-ref): "~/.config" (skill.md:102)

View full report on SafeSkill

---

This PR was automatically generated by SafeSkill — the security scanner for AI tools and MCP servers.

Summary by CodeRabbit

• Documentation
  • Added SafeSkill verification badge to the Key Features section.

[github-actions]

Thank you for your contribution! Before we can merge this PR, you need to sign our Contributor License Agreement.

To sign, please comment below:

I have read the CLA Document and I hereby sign the CLA

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d3499b3b-9f63-44f7-bd68-87c82f978e16

📥 Commits

Reviewing files that changed from the base of the PR and between 2478664 and bba6fb8.

📒 Files selected for processing (1)

• README.md

---

📝 Walkthrough

Walkthrough

A SafeSkill security badge (83/100 shield) has been added to the README.md file within the Key Features section, linking to safeskill.dev. This documentation update showcases the project's security assessment rating.

Changes

Cohort / File(s)	Summary
Documentation README.md	Added SafeSkill 83/100 badge with hyperlink to safeskill.dev in the Key Features section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A badge so shiny, a shield of pride,
SafeSkill's eighty-three displayed with stride!
Our README gleams with security's cheer,
A trustworthy mark for all to revere! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description deviates significantly from the required template, lacking Summary, Changes, Testing, and Checklist sections. It contains only a SafeSkill scan report table without explaining what the PR actually does or how it was tested.	Restructure the description to follow the template: add a Summary section explaining the badge addition, list changes in the Changes section, document testing performed, and complete the Checklist with applicable items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: adding a SafeSkill security badge with its score (83/100) and status, which matches the README.md modification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[D0NMEGA]

Thanks for the PR, but I'm going to close this one:

• The badge link (safeskill.dev/scan/d0nmega-moltgrid) returns a 404, so it wouldn't be useful to visitors.
• The "critical" findings are false positives -- an MCP server reading MOLTGRID_API_KEY from env vars is expected behavior, and curl examples in documentation aren't data exfiltration.
• I didn't opt into SafeSkill, so I'd rather not add third-party badges I don't control to the README.

Appreciate the interest in MoltGrid's security though!

[OyaAIProd]

• @D0NMEGA , the report is available here: https://safeskill.dev/scan/d0nmega-moltgrid could you confirm if you’re still encountering a 404 error?
• Regarding the false positives, I’ve logged them in our issues tracker for further investigation.
• As for opting in, it’s completely understandable either way. This is a free, open-source, non-profit project aimed at helping the community use safe skills, especially given the current state of the internet with increasing low-quality and potentially harmful content. The badge is mostly symbolic and helps spread awareness of the project but ultimately, the decision is entirely up to you.