Trust Assessment
copilot-sdk received a trust score of 93/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned dependencies in installation instructions.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 326f2466). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned dependencies in installation instructions The installation commands for the GitHub Copilot SDK do not specify package versions. This introduces a supply chain risk where a malicious update to any of these packages could automatically be installed by users following these instructions, leading to potential compromise. Best practice is to pin dependencies to specific versions or at least major versions. Specify exact or minimum versions for all package dependencies in the installation instructions (e.g., `npm install @github/copilot-sdk@1.2.3` or `npm install @github/copilot-sdk@^1.2.3`) to mitigate supply chain risks from malicious package updates. | Unknown | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/ff1ab14864c375bc)
Powered by SkillShield