Trust Assessment
diff-summary received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned external dependency via `npx`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned external dependency via `npx` The skill documentation recommends using `npx ai-diff-summary` without specifying a version. This means the latest version of the `ai-diff-summary` package will always be fetched and executed from the npm registry. This introduces a supply chain risk, as a malicious update to the `ai-diff-summary` package could lead to arbitrary code execution on the system running the skill if the AI agent executes this command. Specify a fixed version for the `ai-diff-summary` package (e.g., `npx ai-diff-summary@1.2.3`) to ensure deterministic execution and prevent unexpected or malicious updates. Regularly review and update the pinned version. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/8fc868ae96e4f166)
Powered by SkillShield