Trust Assessment
mcp-hass received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency for 'mcporter'.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency for 'mcporter' The skill's manifest specifies 'mcporter' as a Node.js package dependency without a version constraint. This means that the latest version of 'mcporter' will always be installed. This practice introduces a supply chain risk, as a malicious update to the package could be automatically installed, potentially leading to arbitrary code execution or other security breaches without explicit user consent or review. Pin the 'mcporter' dependency to a specific version or version range (e.g., "package": "mcporter@1.2.3" or "package": "mcporter@^1.0.0") to ensure consistent and secure installations. Regularly review and update pinned dependencies to incorporate security fixes. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/9667d26be91f3cb9)
Powered by SkillShield