Trust Assessment
model-evaluator received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned Dependency in Skill Description.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Dependency in Skill Description The skill's `SKILL.md` describes Python code that imports `specweave` (e.g., `from specweave import ModelEvaluator`). This indicates a dependency on the `specweave` package. However, no dependency manifest (like `requirements.txt` or `pyproject.toml`) is provided that pins the version of this package. This lack of version pinning creates a supply chain risk, as a future update to `specweave` (or any other implicit ML dependencies like `scikit-learn`, `numpy`, `pandas`, `matplotlib` that would typically be used for such functionality) could introduce vulnerabilities or malicious code without explicit review, leading to unexpected behavior or security breaches. Provide a `requirements.txt` or `pyproject.toml` file that explicitly lists and pins the versions of all direct and indirect dependencies required by the skill. For example, `specweave==1.2.3`. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/0e85928701d6f609)
Powered by SkillShield