Trust Assessment
css-to-tailwind received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned third-party package execution via `npx`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned third-party package execution via `npx` The skill recommends executing a third-party Node.js package (`ai-css-to-tailwind`) using `npx` without specifying a version. This introduces a significant supply chain risk, as a malicious update to the package could lead to arbitrary code execution on the user's system when the command is run. Without a pinned version, the user is always fetching the latest available version, which could be compromised. Recommend specifying a pinned version for the `ai-css-to-tailwind` package (e.g., `npx ai-css-to-tailwind@1.2.3 ...`) to ensure consistent and secure execution. Alternatively, advise users to install the package globally with a specific version (`npm install -g ai-css-to-tailwind@1.2.3`) before running the command. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/2eabfb7771c78742)
Powered by SkillShield