Trust Assessment
hzl received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned external dependencies in manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external dependencies in manifest The skill's manifest specifies external dependencies (`hzl` for Homebrew and `hzl-cli` for npm) without pinning specific versions. This means that when a user installs these dependencies, the latest available version will be fetched. If a malicious update or a typosquat package with the same name is published, it could lead to the installation of compromised software, potentially resulting in remote code execution or data exfiltration on the host system. This introduces a supply chain risk as the integrity of the installed tools cannot be guaranteed over time. Pin specific, known-good versions for all external dependencies in the manifest (e.g., `"package": "hzl@1.2.3"` or `"package": "hzl-cli@^4.5.6"`). Regularly review and update these pinned versions to incorporate security patches and new features while maintaining control over the installed software. | LLM | SKILL.md:4 |
Scan History
Embed Code
[](https://skillshield.io/report/4c41c9e3650855c1)
Powered by SkillShield