Trust Assessment
expo received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Direct instruction to install external plugin.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 1823c3f6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | plugins/specweave-mobile/skills/expo/SKILL.md:1 | |
| MEDIUM | Direct instruction to install external plugin The skill explicitly instructs the installation of an external plugin (`context7`) from `claude-plugins-official`. While the source appears official, instructing the LLM to install external plugins introduces a supply chain risk, as the plugin's code and its permissions are then trusted. This is a direct instruction for execution. Avoid instructing the LLM to directly install external plugins. If a plugin is required, it should be pre-approved and bundled with the skill, or the instruction should be phrased as a suggestion for the *user* to perform, rather than an instruction for the LLM. | Static | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/0e60aabe4e7e90da)
Powered by SkillShield