Trust Assessment
apple-docs-mcp received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Unpinned external dependency in `npx` command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external dependency in `npx` command The skill executes an external Node.js package (`@kimsungwhee/apple-docs-mcp`) via `npx` without specifying a version. This means `npx` will always download and execute the latest available version of the package from the npm registry. A malicious update to this package by its maintainers, or a compromise of the npm registry, could introduce arbitrary code execution, data exfiltration, or other severe vulnerabilities without any change to the skill's manifest. This creates a significant supply chain risk. Pin the version of the `npx` package to a known good version (e.g., `"@kimsungwhee/apple-docs-mcp@1.2.3"`) to ensure deterministic execution and prevent unexpected behavior from future updates. Regularly review and update the pinned version after verifying its integrity. | LLM | SKILL.md:10 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/janhcla/apple-docs-mcp/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/a722327515721f37)
Powered by SkillShield