Trust Assessment
nervepay received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Global Network Interception via Monkey-Patching.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Global Network Interception via Monkey-Patching The `nervepay-instrument.mjs` script monkey-patches global `fetch()`, `http.request()`, and `https.request()` functions. This grants the skill the ability to intercept, observe, and potentially modify all outgoing network requests made by the Node.js process it instruments. While this is the stated purpose for 'auto-tracking', it represents a broad permission that could be abused if the skill were malicious or compromised. An agent using this skill implicitly grants it comprehensive access to its network activity. Ensure the skill's integrity and trustworthiness. If this level of access is not strictly necessary for all use cases, consider providing more granular instrumentation options or requiring explicit opt-in for specific network domains rather than global monkey-patching. | LLM | nervepay-instrument.mjs:50 |
Scan History
Embed Code
[](https://skillshield.io/report/35bf6d7211cb2b16)
Powered by SkillShield