Trust Assessment
google-home received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Skill instructs symlinking to system-wide bin directory, Unspecified source for `google-home-cli` dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill instructs symlinking to system-wide bin directory The skill's setup documentation includes a step that instructs the user to create a symbolic link from a skill-internal script (`scripts/nest`) to `/usr/local/bin/nest`. If an automated agent or user executes this instruction, it requires elevated permissions (e.g., `sudo`) to modify a system-wide directory. This poses a security risk as it could lead to unauthorized system modification, privilege escalation, or persistence if the skill's script were malicious or compromised, or if the target path was manipulated. Such an action bypasses standard package management and security controls. Avoid instructing users to symlink into system-wide directories like `/usr/local/bin`. Instead, recommend adding the skill's script directory to the user's PATH environment variable, or provide a wrapper script in a user-local bin directory (e.g., `~/.local/bin`). If system-wide installation is strictly necessary, clearly document the elevated permission requirement and its security implications, and consider using a package manager for safer installation. | LLM | SKILL.md:97 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/mitchellbernstein/google-home/SKILL.md:1 | |
| MEDIUM | Unspecified source for `google-home-cli` dependency The skill's documentation frequently references a `google-home-cli` command, which appears to be a core component of the skill's functionality. However, the source, installation method, and integrity of this external dependency are not specified within the provided skill context. This introduces a supply chain risk, as an unknown or untrusted binary could be executed, potentially leading to arbitrary code execution or data compromise. The skill's manifest also does not list `google-home-cli` as a required binary, further indicating its unspecified nature. Clearly document the source, installation instructions, and verification steps for `google-home-cli`. If it is a custom script or binary, include it within the skill package and reference it appropriately. If it's a third-party tool, provide a link to its official repository or distribution channel and recommend specific versions or hashes for integrity verification. Add `google-home-cli` to the `bins` requirement in the manifest if it's a mandatory external dependency. | LLM | SKILL.md:41 |
Scan History
Embed Code
[](https://skillshield.io/report/64056fd3a313d398)
Powered by SkillShield