Trust Assessment
affiliate-master received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Misleading 'crypto' dependency in package.json.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Amazon Associate ID can be leaked to arbitrary URLs In `index.js`, the `generateLink` function for the 'amazon' network constructs the `affiliateUrl` by appending the `associateId` to `product.url`. If the `product.url` parameter is sourced from an untrusted external API (as implied by the `searchProduct` function's future implementation) and is not properly validated or sanitized, an attacker could provide a malicious URL. This would cause the skill to make a request to an attacker-controlled domain, inadvertently leaking the Amazon `associateId` in the query parameters. This exposes a sensitive credential to an unauthorized third party. Implement strict URL validation for `product.url` before appending sensitive information. Ensure that `product.url` only points to legitimate Amazon domains or other trusted sources. Alternatively, use a URL parsing library to safely append parameters, ensuring that existing `tag` parameters are handled securely or overridden. | LLM | index.js:68 | |
| MEDIUM | Unpinned npm dependency version Dependency 'axios' is not pinned to an exact version ('^1.6.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/michael-laffin/affiliate-master/package.json | |
| MEDIUM | Misleading 'crypto' dependency in package.json The `package.json` lists `crypto: "^1.0.1"` as a dependency. `crypto` is a built-in Node.js module and should not be listed as an external dependency. This entry is redundant and could lead to a supply chain attack if a malicious package named `crypto` were published and installed, potentially overriding the built-in module or causing confusion. While Node.js's `require` mechanism prioritizes built-in modules, this is still a bad practice and a potential vector for typosquatting or dependency confusion in certain environments or build systems. Remove the `crypto` entry from the `dependencies` section in `package.json`. | LLM | package.json:17 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/michael-laffin/affiliate-master/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/38aea1f9f6681cd3)
Powered by SkillShield