Trust Assessment
elevenlabs-transcribe received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Unpinned dependency version range, Dependency pinned without hash.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency version range The 'numpy' package is specified with a version range ('>=1.24.0') instead of an exact pinned version and lacks a SHA256 hash. This allows for the installation of any future version of numpy that meets the criteria, which could introduce vulnerabilities or breaking changes if a malicious or incompatible version is released. Best practice for supply chain security is to pin exact versions with hashes for all dependencies. Pin 'numpy' to an exact version (e.g., 'numpy==1.26.4') and include its SHA256 hash for integrity verification. For example: `numpy==1.26.4 --hash=sha256:YOUR_HASH_HERE`. | LLM | scripts/requirements.txt:10 | |
| MEDIUM | Unpinned Python dependency version Requirement 'numpy>=1.24.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/paulasjes/elevenlabs-transcribe/scripts/requirements.txt:11 | |
| MEDIUM | Dependency pinned without hash The 'sounddevice' package is pinned to an exact version ('0.5.1') but does not include a SHA256 hash. While exact version pinning reduces the risk of unexpected updates, the absence of a hash means that the integrity of the package cannot be verified. If the package on PyPI for this specific version were compromised, the skill would install the malicious version without detection. The comment 'hashes vary by platform' indicates a known challenge for platform-specific packages, but it still represents a supply chain risk. If possible, include platform-specific SHA256 hashes for 'sounddevice' to ensure integrity. If not feasible due to platform variations, consider adding a comment explaining the risk and mitigation strategy (e.g., relying on trusted PyPI mirrors). | LLM | scripts/requirements.txt:9 |
Scan History
Embed Code
[](https://skillshield.io/report/7a9df449ab5a7255)
Powered by SkillShield