Trust Assessment
push-to-registry received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned GitHub Action Version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 339a1139). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned GitHub Action Version The GitHub Actions workflow uses 'hashicorp/setup-packer@main' which is not pinned to a specific version or commit SHA. This can lead to unexpected behavior, breaking changes, or introduce supply chain risks if the 'main' branch is compromised or updated with malicious code. It's best practice to pin actions to a specific commit SHA or a major/minor version tag (e.g., 'v1', 'v1.2.3') to ensure reproducibility and security. Pin the GitHub Action to a specific version or commit SHA. For example, change `hashicorp/setup-packer@main` to `hashicorp/setup-packer@vX` (where X is a stable major version) or `hashicorp/setup-packer@vX.Y.Z` for a specific release, or even a full commit SHA. | Static | SKILL.md:130 |
Scan History
Embed Code
[](https://skillshield.io/report/10927615a8137d50)
Powered by SkillShield