Trust Assessment
monarch-money received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Potential Typosquatting in 'dotenv' Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Typosquatting in 'dotenv' Dependency The `package.json` and `package-lock.json` files specify `dotenv` with version `^17.2.2`. The official `dotenv` package is typically in the `16.x.x` range. This version number is highly unusual for the legitimate `dotenv` package and strongly suggests a typosquatting attempt. A malicious package could mimic the functionality of `dotenv` while also performing arbitrary code execution, credential harvesting, or data exfiltration. Verify the correct `dotenv` package and version. It is highly recommended to change the dependency to the official `dotenv` package (e.g., `^16.0.0` or the latest stable version) and ensure it is installed from a trusted registry. Remove the suspicious package from `node_modules` and `package-lock.json` before reinstalling. | LLM | package.json:50 | |
| MEDIUM | Unpinned npm dependency version Dependency 'chalk' is not pinned to an exact version ('^4.1.2'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/davideasaf/monarch-money/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/b399168619e4280d)
Powered by SkillShield