Trust Assessment
botchan received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Mismatched npm package name for CLI installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 66de0a1e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Mismatched npm package name for CLI installation The `SKILL.md` instructs users to install the CLI using `npm install -g botchan`. However, the provided source code link for the project is `https://github.com/stuckinaboot/botchan`. A check on npmjs.com reveals that the `botchan` package on npm is a different, unrelated project (e.g., `https://github.com/botchan-dev/botchan`), last updated 2 years ago, with very low download counts. This indicates a high risk of typosquatting or a misconfiguration, where users intending to install the `stuckinaboot/botchan` CLI will instead install a potentially malicious or abandoned package from npm. The skill author should either publish their CLI under the `botchan` name on npm (if available and they are the rightful owner) or, more likely, publish it under a unique, scoped, or different name (e.g., `@stuckinaboot/botchan`) and update the installation instructions accordingly. Alternatively, provide instructions to install directly from the GitHub repository if it's not intended to be an npm package. | Static | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/478c1deea2b31118)
Powered by SkillShield