Trust Assessment
e2e-gen received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned external package execution via npx.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external package execution via npx The skill documentation instructs users to execute an external npm package (`ai-e2e-gen`) using `npx` without specifying a version. This means that any user running this command will always fetch and execute the latest version of the package. If the `ai-e2e-gen` package maintainers' account is compromised, or if a malicious actor gains control of the package, they could publish a malicious update. Users following these instructions would then unknowingly execute potentially harmful code, leading to a supply chain attack. Pin the version of the `ai-e2e-gen` package in the `npx` command (e.g., `npx ai-e2e-gen@1.0.0 ...`) to ensure users execute a known, vetted version. Regularly update the pinned version after reviewing changes. | LLM | SKILL.md:8 |
Scan History
Embed Code
[](https://skillshield.io/report/ccd5305451d836dc)
Powered by SkillShield