Trust Assessment
goplaces received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency from third-party Homebrew tap.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency from third-party Homebrew tap The skill installs the `goplaces` binary from `steipete/tap/goplaces` via Homebrew. This relies on a personal Homebrew tap, which carries a higher risk than official repositories. The dependency is not version-pinned, meaning that future updates to the `goplaces` formula in `steipete/tap` could introduce malicious code or breaking changes without explicit review. A compromise of the `steipete` GitHub account or Homebrew tap could lead to arbitrary code execution on the user's system. Pin the version of the `goplaces` binary in the Homebrew formula or use a more trusted distribution channel. Consider vendoring the binary or using a checksum-verified installation method. If using a third-party tap, ensure the maintainer's security practices are robust and consider auditing the formula regularly. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/e1a81d366ed2850c)
Powered by SkillShield