Trust Assessment
bits-mcp received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned `npx` dependency for MCP server.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned `npx` dependency for MCP server The skill's setup instructions recommend using `npx -y usebits-mcp` without specifying a version. This means that every time the MCP server is started, `npx` will fetch and execute the latest version of `usebits-mcp` from npm. If a malicious update is published to this package, users would automatically download and run it, leading to potential arbitrary code execution on their system. Pin the `usebits-mcp` package to a specific, known-good version (e.g., `npx -y usebits-mcp@1.0.0`) and regularly review and update the version to mitigate the risk of supply chain attacks. | LLM | SKILL.md:28 |
Scan History
Embed Code
[](https://skillshield.io/report/7767351c81869bfc)
Powered by SkillShield