Trust Assessment
jb-deploy-ui received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 9 findings: 0 critical, 0 high, 6 medium, and 3 low severity. Key findings include Covert behavior / concealment directives, Unpinned external JavaScript dependencies.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 58/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned external JavaScript dependencies The generated UI imports JavaScript modules from `https://esm.sh/viem` without specifying a fixed version. This introduces a supply chain risk where a malicious or vulnerable update to the `viem` library or a compromise of the `esm.sh` CDN could automatically be loaded and executed by the user's browser, potentially leading to loss of funds or other security incidents. The current import will always fetch the latest compatible version. Pin specific versions for all external dependencies (e.g., `https://esm.sh/viem@1.2.3`) to ensure deterministic and reviewed code execution. Implement a mechanism to update dependencies only after security review and verification. | LLM | SKILL.md:71 | |
| MEDIUM | Unpinned external JavaScript dependencies The generated UI imports JavaScript modules from `https://esm.sh/viem/chains` without specifying a fixed version. This introduces a supply chain risk where a malicious or vulnerable update to the `viem` library or a compromise of the `esm.sh` CDN could automatically be loaded and executed by the user's browser, potentially leading to loss of funds or other security incidents. The current import will always fetch the latest compatible version. Pin specific versions for all external dependencies (e.g., `https://esm.sh/viem/chains@1.2.3`) to ensure deterministic and reviewed code execution. Implement a mechanism to update dependencies only after security review and verification. | LLM | SKILL.md:72 | |
| MEDIUM | Unpinned external JavaScript dependencies The generated UI imports JavaScript modules from `https://esm.sh/viem` without specifying a fixed version. This introduces a supply chain risk where a malicious or vulnerable update to the `viem` library or a compromise of the `esm.sh` CDN could automatically be loaded and executed by the user's browser, potentially leading to loss of funds or other security incidents. The current import will always fetch the latest compatible version. Pin specific versions for all external dependencies (e.g., `https://esm.sh/viem@1.2.3`) to ensure deterministic and reviewed code execution. Implement a mechanism to update dependencies only after security review and verification. | LLM | SKILL.md:209 | |
| MEDIUM | Unpinned external JavaScript dependencies The generated UI imports JavaScript modules from `https://esm.sh/viem/chains` without specifying a fixed version. This introduces a supply chain risk where a malicious or vulnerable update to the `viem` library or a compromise of the `esm.sh` CDN could automatically be loaded and executed by the user's browser, potentially leading to loss of funds or other security incidents. The current import will always fetch the latest compatible version. Pin specific versions for all external dependencies (e.g., `https://esm.sh/viem/chains@1.2.3`) to ensure deterministic and reviewed code execution. Implement a mechanism to update dependencies only after security review and verification. | LLM | SKILL.md:210 | |
| MEDIUM | Unpinned external JavaScript dependencies The generated UI imports JavaScript modules from `https://esm.sh/viem` without specifying a fixed version. This introduces a supply chain risk where a malicious or vulnerable update to the `viem` library or a compromise of the `esm.sh` CDN could automatically be loaded and executed by the user's browser, potentially leading to loss of funds or other security incidents. The current import will always fetch the latest compatible version. Pin specific versions for all external dependencies (e.g., `https://esm.sh/viem@1.2.3`) to ensure deterministic and reviewed code execution. Implement a mechanism to update dependencies only after security review and verification. | LLM | SKILL.md:310 | |
| MEDIUM | Unpinned external JavaScript dependencies The generated UI imports JavaScript modules from `https://esm.sh/viem/chains` without specifying a fixed version. This introduces a supply chain risk where a malicious or vulnerable update to the `viem` library or a compromise of the `esm.sh` CDN could automatically be loaded and executed by the user's browser, potentially leading to loss of funds or other security incidents. The current import will always fetch the latest compatible version. Pin specific versions for all external dependencies (e.g., `https://esm.sh/viem/chains@1.2.3`) to ensure deterministic and reviewed code execution. Implement a mechanism to update dependencies only after security review and verification. | LLM | SKILL.md:311 | |
| LOW | Covert behavior / concealment directives CSS-based text hiding Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/mejango/juicy/jb-deploy-ui/SKILL.md:26 | |
| LOW | Covert behavior / concealment directives CSS-based text hiding Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/mejango/juicy/jb-deploy-ui/SKILL.md:254 | |
| LOW | Covert behavior / concealment directives CSS-based text hiding Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/mejango/juicy/jb-deploy-ui/SKILL.md:456 |
Scan History
Embed Code
[](https://skillshield.io/report/117f807fb9fdc923)
Powered by SkillShield