Trust Assessment
sheet-cog received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency in manifest.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit b520750d). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency in manifest The skill's manifest specifies a dependency on 'cellcog' without a version constraint. This allows `clawhub` to install the latest available version, which could be malicious if the package maintainer's account is compromised or if a typosquatting attack occurs. This introduces a supply chain risk where a compromised dependency could lead to arbitrary code execution. Pin the dependency to a specific version or a version range (e.g., `"cellcog": "==1.2.3"` or `"cellcog": ">=1.0.0,<2.0.0"`) to ensure predictable and secure dependency resolution. | Unknown | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/2ec128c346ffe01f)
Powered by SkillShield