Security Audit
HKUDS/CLI-Anything:dify-workflow/agent-harness/cli_anything/dify_workflow/skills
github.com/HKUDS/CLI-AnythingTrust Assessment
HKUDS/CLI-Anything:dify-workflow/agent-harness/cli_anything/dify_workflow/skills received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned Git Dependency from Personal Repository.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 19, 2026 (commit bf3cc39e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Git Dependency from Personal Repository The installation instructions recommend installing an upstream dependency directly from a personal GitHub repository's main branch (`git+https://github.com/Akabane71/dify-workflow-cli.git@main`). This introduces a supply chain risk, as any changes or malicious commits pushed to the `main` branch of this repository will be automatically fetched and executed during installation without any cryptographic verification or version pinning. Pin the dependency to a specific, verified commit hash (e.g., `git+https://github.com/Akabane71/dify-workflow-cli.git@<commit-hash>`) or publish the package to PyPI and use a pinned version constraint. | LLM | SKILL.md:7 |
Scan History
Embed Code
[](https://skillshield.io/report/0a69a4f31f7ea02e)
Powered by SkillShield