Trust Assessment
agent-shield received a trust score of 91/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Skill instructs user to provide sensitive data to external service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Skill instructs user to provide sensitive data to external service The skill's `SKILL.md` explicitly instructs users to open a GitHub issue and provide their Ethereum wallet address. While a public address, this is sensitive personal information that can be used for tracking, targeting, or linking to other activities. The skill acts as a vector for the collection of this data by an external party (the skill author via GitHub). Remove instructions that solicit sensitive user information, even if public, to external services. If necessary, provide a secure, privacy-preserving method for token claims that does not require direct submission of personal identifiers. | LLM | SKILL.md:73 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/ultimatebos/agent-shield/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/0c66eb8d647f6cb6)
Powered by SkillShield