Trust Assessment
devops-engineer received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned GitHub Action dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit e8be415b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned GitHub Action dependency The GitHub Actions workflow example uses `aquasecurity/trivy-action@master`. Pinning to a specific tag or full commit SHA is recommended to ensure reproducibility, prevent unexpected changes, and mitigate potential supply chain risks if the `master` branch of the action's repository is compromised or updated with breaking changes. Update the GitHub Action reference to a specific version tag (e.g., `aquasecurity/trivy-action@v0.x.x`) or a full commit SHA (e.g., `aquasecurity/trivy-action@a1b2c3d`) instead of `@master`. | Static | SKILL.md:87 |
Scan History
Embed Code
[](https://skillshield.io/report/5d39c02a9ddc0963)
Powered by SkillShield