Trust Assessment
codeberg received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned dependency in Go installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned dependency in Go installation The skill's manifest specifies the `tea` CLI to be installed via Go using `code.gitea.io/tea@latest`. Relying on `@latest` for dependencies introduces a supply chain risk, as it means any new version, potentially containing breaking changes, vulnerabilities, or even malicious code, will be pulled without explicit review or version pinning. This can lead to unexpected behavior or security compromises. Pin the `tea` CLI version to a specific, known-good release (e.g., `code.gitea.io/tea@v1.2.3`) in the manifest's `install` section. Regularly review and update the pinned version to benefit from security patches and new features while maintaining control over the installed software. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/71f7172a38326c3c)
Powered by SkillShield