Trust Assessment
hashgrid-connect received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned remote content fetch with implicit execution instruction.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned remote content fetch with implicit execution instruction The skill instructs fetching `skill.md` from `https://connect.hashgrid.ai` without any version pinning or integrity checks. The accompanying instruction 'Fetch it and follow the instructions' (line 13) implies that the fetched content might contain executable commands. If the remote server is compromised or the content of `skill.md` is maliciously altered, an agent following these instructions could be exposed to arbitrary code execution if the fetched content is piped to a shell (e.g., `bash`) instead of merely being read. This constitutes a significant supply chain risk. Avoid fetching and implicitly executing unpinned remote content. If remote content must be fetched, ensure it comes from a trusted, version-controlled source with integrity checks (e.g., checksum verification). For documentation, provide a direct URL to be opened in a browser or explicitly state that the content is for reading only and should not be executed. If execution is intended, provide strong warnings and robust integrity verification mechanisms. | LLM | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/ce7ac58cf431389a)
Powered by SkillShield