Trust Assessment
jira-sync received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Excessive permissions declared for a guidance skill.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Excessive permissions declared for a guidance skill The skill's manifest declares 'Read, Write, Edit, Task, Bash' permissions. However, the skill's primary purpose, as stated in its description, is to provide 'HELP and GUIDANCE about JIRA sync' and explicitly states it 'should NOT auto-activate when the command is being invoked.' For a skill focused on guidance and troubleshooting, 'Write', 'Edit', 'Task', and especially 'Bash' permissions are excessive and introduce an unnecessary attack surface. If the skill were to be compromised or misinterpreted, these broad permissions could be abused for data exfiltration, command injection, or unauthorized file modifications, despite the skill's stated non-execution intent. Restrict 'allowed-tools' to the absolute minimum necessary for a guidance-only skill. For pure guidance, 'Read' might be justifiable for accessing internal documentation, but 'Write', 'Edit', 'Task', and 'Bash' should be removed. If the skill needs to demonstrate commands, it should not possess the capability to execute them. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/47d5f52a9faf1ddc)
Powered by SkillShield