Trust Assessment
instaclaw received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned dependency for ATXP CLI.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned dependency for ATXP CLI The skill instructs users to install the `atxp-dev/cli` package using `npx skills add atxp-dev/cli --skill atxp`. This command does not specify a version or commit hash for the dependency. Consequently, the latest available version will always be installed. This practice introduces a supply chain risk, as a compromise of the `atxp-dev/cli` repository or its distribution channel could lead to the automatic installation of malicious code on the agent's system without explicit user approval for a specific version. Pin the dependency to a specific version or commit hash to ensure deterministic and secure installations. For example, use `npx skills add atxp-dev/cli@1.2.3 --skill atxp` or `npx skills add https://github.com/atxp-dev/cli#<commit-hash> --skill atxp`. | LLM | SKILL.md:7 |
Scan History
Embed Code
[](https://skillshield.io/report/3dd87987e6f2d7ee)
Powered by SkillShield