Security Audit
claude-chrome
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
claude-chrome received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency in installation instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency in installation instructions The installation instructions for the 'Chrome DevTools MCP' use `npx chrome-devtools-mcp@latest`. Using `@latest` means that the exact version of the package is not pinned. This makes the installation vulnerable to supply chain attacks if a malicious version is published under the same name or if the package maintainer's account is compromised, potentially leading to arbitrary code execution on the user's system. Pin the dependency to a specific, known-good version, e.g., `npx chrome-devtools-mcp@1.2.3`. This ensures that the same version is always installed, reducing the risk of unexpected or malicious changes. | Static | SKILL.md:120 |
Scan History
Embed Code
[](https://skillshield.io/report/02c57399550e7975)
Powered by SkillShield