Trust Assessment
cwicr-cost-calculator received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Unspecified External Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/cwicr-cost-calculator/SKILL.md:1 | |
| MEDIUM | Unspecified External Dependency The skill imports `CWICRDataLoader` from `cwicr_data_loader`, but the source code or package details for `cwicr_data_loader` are not provided within the skill context. This introduces a supply chain risk as the behavior and security of this external dependency are unknown. A malicious or compromised `cwicr_data_loader` could potentially lead to data exfiltration, command injection, or other vulnerabilities if it's not sourced from a trusted, verified location. Provide the source code for `cwicr_data_loader` within the skill package, or specify a trusted, version-pinned source for this dependency (e.g., a specific PyPI package version in a `requirements.txt`). Ensure the `CWICRDataLoader` itself adheres to security best practices, especially when loading data from external files. | LLM | SKILL.md:267 |
Scan History
Embed Code
[](https://skillshield.io/report/841daff1656fe1d3)
Powered by SkillShield