Trust Assessment
push-to-registry received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned GitHub Action dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 98272896). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned GitHub Action dependency The GitHub Actions workflow uses `hashicorp/setup-packer@main`. Pinning to a mutable branch (`main`) means that the action's code can change at any time, potentially introducing vulnerabilities or malicious code without explicit review. It is recommended to pin to a specific commit SHA or a release tag (e.g., `v1`). Pin the `hashicorp/setup-packer` action to a specific commit SHA or a release tag (e.g., `v1`) instead of the mutable `main` branch. For example, `uses: hashicorp/setup-packer@v1` or `uses: hashicorp/setup-packer@<commit_sha>`. | Static | SKILL.md:127 |
Scan History
Embed Code
[](https://skillshield.io/report/10927615a8137d50)
Powered by SkillShield