Trust Assessment
glin-profanity-mcp received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned external command execution via `npx`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external command execution via `npx` The skill's installation instructions for Claude Desktop and Cursor configure the host application to execute an external Node.js package (`glin-profanity-mcp`) using `npx`. The command `npx -y glin-profanity-mcp` does not specify a version, meaning it will always fetch and execute the latest version from npm. This introduces a significant supply chain risk, as a malicious update to the `glin-profanity-mcp` package could lead to arbitrary code execution on the user's machine without explicit user consent or review of the specific version being run. This is a direct instruction for shell execution. Pin the version of the `glin-profanity-mcp` package in the `args` array (e.g., `npx -y glin-profanity-mcp@1.2.3`) to ensure deterministic execution and mitigate risks from future malicious updates. Additionally, consider reviewing the source code of `glin-profanity-mcp` for security vulnerabilities before deployment. | LLM | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/54a2d8cadba272be)
Powered by SkillShield