Trust Assessment
keep-protocol received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 0 medium, and 2 low severity. Key findings include Unpinned Docker image dependency, Unpinned Python package dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| LOW | Unpinned Docker image dependency The installation instructions recommend using `ghcr.io/clcrawford-dev/keep-server:latest` for the Docker image. Using the `:latest` tag can lead to unexpected behavior or introduce vulnerabilities if the image changes without warning, as it does not guarantee immutability or specific versioning. Pin the Docker image to a specific version tag or digest, e.g., `ghcr.io/clcrawford-dev/keep-server:1.0.0` or `ghcr.io/clcrawford-dev/keep-server@sha256:abcdef...`. | LLM | SKILL.md:22 | |
| LOW | Unpinned Python package dependency The installation instructions recommend `pip install keep-protocol` without specifying a version. This can lead to supply chain vulnerabilities if a future version of the package introduces malicious code or breaking changes. It also makes builds non-deterministic. Pin the dependency to a specific version, e.g., `pip install keep-protocol==1.2.3`, or use a `requirements.txt` file with pinned versions and hashes. | LLM | SKILL.md:25 |
Scan History
Embed Code
[](https://skillshield.io/report/39a6f678507aadc0)
Powered by SkillShield