Trust Assessment
content-moderation received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency in MCP server configuration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency in MCP server configuration The `mcpServers` configuration instructs the system to execute `@vettly/mcp` using `npx -y @vettly/mcp`. By not specifying a version (e.g., `@vettly/mcp@1.2.3`), the latest available version will always be downloaded and executed. This introduces a supply chain risk, as a malicious or compromised update to the `@vettly/mcp` package could lead to arbitrary code execution on the host system without explicit approval. Pin the `@vettly/mcp` dependency to a specific, known-good version (e.g., `"args": ["-y", "@vettly/mcp@1.0.0"]`) to ensure deterministic and secure execution. Regularly review and manually update the pinned version after verifying its integrity. | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/42c1269d1dc8dfdb)
Powered by SkillShield