Trust Assessment
aaveclaw received a trust score of 93/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Unpinned Dependency Range.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned npm dependency version Dependency 'ethers' is not pinned to an exact version ('^6.13.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/chainyoda/aaveclaw/package.json | |
| INFO | Unpinned Dependency Range The 'ethers' dependency in package.json uses a caret range ('^6.13.0'), which allows for automatic updates to new minor and patch versions. While package-lock.json pins the version, relying on caret ranges can introduce unexpected changes or vulnerabilities if the lock file is not used or becomes outdated. For security-sensitive applications, it's generally safer to pin to exact versions or use tilde ranges for patch updates. Consider pinning the 'ethers' dependency to an exact version (e.g., '6.13.0') or using a tilde range (e.g., '~6.13.0') to restrict updates to patch versions only. Ensure package-lock.json is always committed and used during deployment. | LLM | package.json:6 |
Scan History
Embed Code
[](https://skillshield.io/report/b5d7edf33e87f9a4)
Powered by SkillShield