Trust Assessment
blogwatcher received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned Go module dependency in skill installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Go module dependency in skill installation The skill's installation instructions, defined in the manifest, use `@latest` for the Go module `github.com/Hyaxia/blogwatcher/cmd/blogwatcher`. This means the exact version of the tool is not pinned, which can lead to non-deterministic builds and potential supply chain vulnerabilities. If a malicious update is pushed to the `latest` tag of the upstream repository, the agent would install the compromised version without explicit version control. Pin the Go module to a specific semantic version (e.g., `github.com/Hyaxia/blogwatcher/cmd/blogwatcher@v1.2.3`) in the skill's manifest to ensure deterministic and secure installations. This prevents unexpected changes or malicious code from being introduced via unversioned updates. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/25be269bc9038b31)
Powered by SkillShield