Trust Assessment
fin-cog received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unpinned Dependency, Unpinned Dependency in Installation Instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Dependency The skill declares a dependency on 'cellcog' in its manifest and instructs users to install it without specifying a version. This makes the skill vulnerable to supply chain attacks if a malicious version of 'cellcog' is published, as the latest version would be installed automatically. Pin the dependency 'cellcog' to a specific, known-good version in the manifest (e.g., `"cellcog==1.2.3"`) and update the installation instructions accordingly (e.g., `clawhub install cellcog==1.2.3`). Regularly review and update pinned versions. | LLM | SKILL.md:1 | |
| HIGH | Unpinned Dependency in Installation Instructions The installation instruction `clawhub install cellcog` does not specify a version. This means that if a malicious version of 'cellcog' is published, users following these instructions could inadvertently install compromised software, leading to a supply chain attack. Update the installation instruction to include a specific, known-good version of the dependency (e.g., `clawhub install cellcog==1.2.3`). This should align with the version pinned in the skill's manifest. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/f91f0aba2df1922e)
Powered by SkillShield