Trust Assessment
JWT Decode - Token Inspector CLI received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned Global npm Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Global npm Dependency The skill instructs users to install the `@lxgicstudios/jwt-decode` npm package globally without specifying a version (`npm install -g @lxgicstudios/jwt-decode`). This practice is vulnerable to supply chain attacks, as a malicious update to the package could be automatically installed, leading to potential compromise when the tool is used to process sensitive JWT tokens. This risk is amplified because the tool handles sensitive data (JWTs). Pin the dependency to a specific, known-good version (e.g., `npm install -g @lxgicstudios/jwt-decode@1.2.3`). Regularly review and update the pinned version to benefit from security patches while mitigating risks from unexpected malicious updates. | LLM | SKILL.md:7 |
Scan History
Embed Code
[](https://skillshield.io/report/52fc88a976a7c7b5)
Powered by SkillShield