Trust Assessment
atlassian-mcp received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via 'npx' execution, Unpinned Dependency in 'npx' command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit e8be415b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via 'npx' execution The skill configuration includes a 'command' field set to 'npx' with arguments to execute an external package. While the arguments are hardcoded in this example, the use of 'npx' implies direct shell command execution. If the arguments to 'npx' were to be constructed from untrusted user input, it would lead to a command injection vulnerability. Even with static arguments, executing external binaries via 'npx' introduces a dependency on the integrity of the external package and the 'npx' environment. Avoid direct execution of shell commands like 'npx' if possible. If external package execution is necessary, consider using a more controlled execution environment or a language-specific package manager that offers better sandboxing. Ensure that any arguments passed to 'npx' are strictly validated and sanitized, and never derived directly from untrusted input. Pin the version of the package being executed to mitigate supply chain risks. | LLM | SKILL.md:79 | |
| MEDIUM | Unpinned Dependency in 'npx' command The 'npx' command executes the '@sooperset/mcp-atlassian' package without specifying a version (e.g., '@sooperset/mcp-atlassian@1.2.3'). This means 'npx' will fetch and execute the latest available version of the package. This introduces a supply chain risk, as a malicious update to the package by its maintainers, or a compromise of the package's registry, could lead to arbitrary code execution on the system running the skill. Always pin the version of external packages when executing them, especially via tools like 'npx'. For example, change `"@sooperset/mcp-atlassian"` to `"@sooperset/mcp-atlassian@1.0.0"` (or the specific version known to be safe and stable). Regularly review and update pinned versions after verifying their integrity. | LLM | SKILL.md:80 |
Scan History
Embed Code
[](https://skillshield.io/report/a43b5fb4e6fb4c5a)
Powered by SkillShield