Trust Assessment
moltlang received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 1 medium, and 1 low severity. Key findings include Missing required field: name, Node lockfile missing, Unpinned Git Repository Clone.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Git Repository Clone The skill's installation instructions advise cloning a Git repository without specifying a particular commit hash, tag, or immutable branch. This means that future changes to the 'main' branch of the upstream repository could introduce malicious code or vulnerabilities without the user's explicit consent or awareness, posing a significant supply chain risk. A compromise of the `eduarddriessen1/moltlang` repository's `main` branch would directly affect users installing this skill. Pin the Git clone operation to a specific commit hash or a signed tag. For example: `git clone https://github.com/eduarddriessen1/moltlang.git --branch v1.0.0 ~/.moltbot/skills/moltlang` or `git clone https://github.com/eduarddriessen1/moltlang.git ~/.moltbot/skills/moltlang && cd ~/.moltbot/skills/moltlang && git checkout <commit_hash>`. | LLM | SKILL.md:16 | |
| HIGH | Unpinned Remote File Downloads (curl) The skill's installation instructions use `curl` to download files directly from the 'main' branch of a GitHub repository. Similar to unpinned Git clones, this method does not guarantee the integrity or immutability of the downloaded files. If the 'main' branch of the source repository is compromised, malicious content could be served to users installing the skill, leading to a supply chain attack. Download files from a specific, immutable release tag or commit hash. Consider using checksums (e.g., SHA256) to verify the integrity of downloaded files. For example: `curl -sL https://raw.githubusercontent.com/eduarddriessen1/moltlang/v1.0.0/SKILL.md | sha256sum -c expected_checksum.txt > ~/.moltbot/skills/moltlang/SKILL.md`. | LLM | SKILL.md:22 | |
| HIGH | Unpinned Remote File Downloads (curl) The skill's installation instructions use `curl` to download files directly from the 'main' branch of a GitHub repository. Similar to unpinned Git clones, this method does not guarantee the integrity or immutability of the downloaded files. If the 'main' branch of the source repository is compromised, malicious content could be served to users installing the skill, leading to a supply chain attack. Download files from a specific, immutable release tag or commit hash. Consider using checksums (e.g., SHA256) to verify the integrity of downloaded files. For example: `curl -sL https://raw.githubusercontent.com/eduarddriessen1/moltlang/v1.0.0/codebook.json | sha256sum -c expected_checksum.txt > ~/.moltbot/skills/moltlang/codebook.json`. | LLM | SKILL.md:23 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/eduarddriessen1/moltlang/SKILL.md:1 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/eduarddriessen1/moltlang/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/d43948ff2f9c3d18)
Powered by SkillShield