Trust Assessment
affiliatematic received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include External JavaScript dependency without integrity check.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | External JavaScript dependency without integrity check The skill instructs users to include an external JavaScript file (`https://affiliatematic.com/amazon-widget.iife.js`) without specifying a Subresource Integrity (SRI) hash. This makes the integration vulnerable to supply chain attacks. If the `affiliatematic.com` server is compromised or the script is maliciously altered, the user's website could be injected with arbitrary malicious code, potentially leading to data exfiltration, defacement, or other client-side attacks. Recommend adding a Subresource Integrity (SRI) hash to the script tag (e.g., `integrity="sha384-..." crossorigin="anonymous"`). Advise users to regularly review the content of external scripts and consider hosting critical scripts themselves if possible to mitigate reliance on third-party availability and security. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/3f5a978f25e1a19c)
Powered by SkillShield