Trust Assessment
cron-gen received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Skill recommends running unpinned external `npx` package.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Skill recommends running unpinned external `npx` package The skill's documentation instructs users to execute `npx ai-cron-gen`. `npx` downloads and runs the latest version of the specified package from npm. Without a pinned version (e.g., `ai-cron-gen@1.2.3`), the behavior and security of the executed code can change unexpectedly with each new release, introducing significant supply chain risks. A malicious or compromised update to the `ai-cron-gen` package could lead to command injection, data exfiltration, or other vulnerabilities on the user's system when they follow the skill's instructions. Specify a pinned version for the `npx` command (e.g., `npx ai-cron-gen@1.2.3`) to ensure deterministic execution and allow for security review of a specific version. Alternatively, consider bundling the tool as part of the skill package itself to maintain full control over its dependencies and code. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/b28c7a66ef57bac4)
Powered by SkillShield