Trust Assessment
job-search-mcp-skill received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 1 medium, and 1 low severity. Key findings include Missing required field: name, Unpinned Python package dependencies, Recommendation to clone and execute potentially unofficial/unvetted MCP server.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Recommendation to clone and execute potentially unofficial/unvetted MCP server The skill's installation instructions recommend cloning `https://github.com/chinpeerapat/jobspy-mcp-server.git` and then configuring the Claude Desktop environment to execute this server using `uv run` or `node`. This repository appears to be a fork or separate implementation by a user named `chinpeerapat`, not the official `JobSpy` project maintainers (Anil-matcha). Relying on an unofficial or unvetted third-party repository for server code, and then instructing the LLM environment to execute it, introduces a critical supply chain risk. The cloned code could contain malicious payloads, backdoors, or vulnerabilities (including command injection vulnerabilities) that could lead to arbitrary code execution on the user's system. The skill acts as a vector for introducing and executing this potentially untrusted external program. The skill should only recommend official, verified, and well-maintained MCP server implementations. If `chinpeerapat/jobspy-mcp-server` is indeed legitimate, its authenticity and security should be thoroughly verified and documented. Users should be strongly cautioned about running code from unverified sources. Ideally, the skill should provide a direct link to the official JobSpy project's recommended MCP server or integrate the functionality directly if possible within a sandboxed environment. | LLM | SKILL.md:39 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/amoghpurohit/job-search-mcp-skill/SKILL.md:1 | |
| LOW | Unpinned Python package dependencies The installation instructions recommend installing Python packages (`python-jobspy`, `pandas`, `pydantic`) with only a minimum version specified (`>=`). This allows for installation of any future version, which could introduce breaking changes, vulnerabilities, or even malicious code if a package maintainer's account is compromised. While `mcp` is pinned to `mcp>=1.1.0`, the other critical dependencies are not fully pinned. Pin all dependencies to exact versions (e.g., `python-jobspy==1.1.82`) or at least to minor versions (e.g., `python-jobspy~=1.1.82`) to ensure reproducible and secure installations. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/04ee5e42a296a351)
Powered by SkillShield