Trust Assessment
docker-writer received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include External tool described to exfiltrate project data, Unpinned external dependency execution via npx.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 5acc5677). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | External tool described to exfiltrate project data The skill's documentation describes the `ai-dockerfile` tool (which users are instructed to run via `npx`) as identifying the user's 'tech stack and sends that info to an AI model'. This indicates that project-specific information is collected and transmitted to an external, unspecified AI service. While the skill itself doesn't perform the exfiltration, it explicitly instructs the user to execute a tool that performs this action. Clearly disclose what data is collected, how it's used, and by whom. Provide options for users to opt-out or run the tool offline. If the AI model is external, ensure data privacy and security policies are robust. For the skill documentation, add a prominent warning about data transmission. | LLM | SKILL.md:52 | |
| HIGH | Unpinned external dependency execution via npx The skill instructs users to execute an external npm package (`ai-dockerfile`) using `npx` without specifying a version (e.g., `npx ai-dockerfile`). This means the latest version of the package will always be fetched and executed. If the `ai-dockerfile` package on the npm registry is compromised or replaced with a malicious version, users following this instruction would unknowingly execute arbitrary malicious code, posing a significant supply chain risk. Pin the version of the external dependency (e.g., `npx ai-dockerfile@1.2.3`) to ensure consistent and predictable execution. Regularly review and update the pinned version after verifying its integrity. Consider providing a mechanism for users to audit the package before execution. | LLM | SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/000e5d4d5d8d2aee)
Powered by SkillShield