Trust Assessment
gotrain received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency in skill installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency in skill installation The skill's manifest specifies the 'gotrain-cli' package for installation via npm without a version specifier. This means the latest version of 'gotrain-cli' will always be installed. This introduces a supply chain risk, as a malicious or vulnerable update to the 'gotrain-cli' package could be automatically installed, compromising the skill without explicit review or consent. Pin the 'gotrain-cli' package to a specific, known-good version (e.g., "package": "gotrain-cli@1.2.3") in the manifest to ensure deterministic and secure installations. Regularly review and update the pinned version as needed. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/8e2cb91345137a0d)
Powered by SkillShield