Security Audit

affaan-m/everything-claude-code:docs/ja-JP/skills/security-scan

github.com/affaan-m/everything-claude-code

AI SkillCommit 9a478ad67605

CAUTION

Scanned 18 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

affaan-m/everything-claude-code:docs/ja-JP/skills/security-scan received a trust score of 64/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 0 medium, and 2 low severity. Key findings include Unpinned `npx` package execution, Unpinned GitHub Action major version.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 20, 2026 (commit 9a478ad6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

96%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
LOW	Unpinned `npx` package execution The skill instructs users to execute `npx ecc-agentshield` without specifying a version. This means that the latest version of the `ecc-agentshield` package will be downloaded and executed from npm. If a malicious update is published to `ecc-agentshield` or any of its dependencies, users following these instructions could unknowingly execute compromised code, leading to a supply chain attack. To mitigate this supply chain risk, specify a precise version for `npx` commands (e.g., `npx ecc-agentshield@1.2.3 scan`). For global installations, ensure a lockfile is used or pin to a specific version.	Static	SKILL.md:32
LOW	Unpinned GitHub Action major version The GitHub Action `affaan-m/agentshield@v1` is pinned to a major version tag. While this provides some level of stability, the `v1` tag can be updated by the maintainer to include new, potentially malicious, code. This introduces a supply chain risk where a future update to the `v1` tag could compromise the CI/CD pipeline without explicit user action. Pin the GitHub Action to a specific commit SHA instead of a major version tag (e.g., `uses: affaan-m/agentshield@<commit_sha>`). This ensures immutability and prevents unexpected changes from upstream.	Static	SKILL.md:95

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/16be9176f0cdf7d5.svg)](https://skillshield.io/report/16be9176f0cdf7d5)