Trust Assessment
push-to-registry received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned GitHub Action dependency.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 98272896). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned GitHub Action dependency The GitHub Actions workflow uses `hashicorp/setup-packer@main`. Pinning to a mutable branch (`main`) means that the action's code can change at any time, potentially introducing vulnerabilities or malicious code without explicit review. It is recommended to pin to a specific commit SHA or a release tag (e.g., `v1`). Pin the `hashicorp/setup-packer` action to a specific commit SHA or a release tag (e.g., `v1`) instead of the mutable `main` branch. For example, `uses: hashicorp/setup-packer@v1` or `uses: hashicorp/setup-packer@<commit_sha>`. | Unknown | SKILL.md:127 |
Scan History
Embed Code
[](https://skillshield.io/report/10927615a8137d50)
Powered by SkillShield