Trust Assessment
insta-cog received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned dependency in manifest and documentation.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit b520750d). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned dependency in manifest and documentation The skill's manifest lists 'cellcog' as a dependency without a specific version constraint, and the `SKILL.md` documentation instructs users to install it using `clawhub install cellcog`. This 'unpinned' dependency can lead to supply chain risks, as future updates to 'cellcog' could introduce breaking changes, compatibility issues, or security vulnerabilities without explicit review or control. Relying on the latest version without pinning can result in unexpected behavior or compromise. Specify a precise version or a version range for the `cellcog` dependency in the skill's manifest (e.g., `"dependencies": ["cellcog==1.2.3"]` or `"dependencies": ["cellcog>=1.0.0,<2.0.0"]`). Update the documentation to reflect the recommended pinned version for installation. | Unknown | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/909f36a37d334fc2)
Powered by SkillShield