Trust Assessment
botchan received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Mismatched npm package name for CLI installation.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 66de0a1e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Mismatched npm package name for CLI installation The `SKILL.md` instructs users to install the CLI using `npm install -g botchan`. However, the provided source code link for the project is `https://github.com/stuckinaboot/botchan`. A check on npmjs.com reveals that the `botchan` package on npm is a different, unrelated project (e.g., `https://github.com/botchan-dev/botchan`), last updated 2 years ago, with very low download counts. This indicates a high risk of typosquatting or a misconfiguration, where users intending to install the `stuckinaboot/botchan` CLI will instead install a potentially malicious or abandoned package from npm. The skill author should either publish their CLI under the `botchan` name on npm (if available and they are the rightful owner) or, more likely, publish it under a unique, scoped, or different name (e.g., `@stuckinaboot/botchan`) and update the installation instructions accordingly. Alternatively, provide instructions to install directly from the GitHub repository if it's not intended to be an npm package. | Unknown | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/478c1deea2b31118)
Powered by SkillShield