Trust Assessment
nochat-channel received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 5 findings: 0 critical, 0 high, 1 medium, and 3 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Configurable External Network Requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned npm dependency version Dependency 'vitest' is not pinned to an exact version ('^3.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/catsmeow492/nochat-channel-plugin/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/catsmeow492/nochat-channel-plugin/package.json | |
| LOW | Configurable External Network Requests The plugin makes network requests to a server URL (`config.serverUrl`) provided in its configuration. If an attacker can modify the `serverUrl` in the agent's configuration, they could redirect all outbound communication, including messages and API keys, to an arbitrary malicious server. This is a common pattern for plugins interacting with external services, but it highlights the importance of securing the agent's configuration. Ensure that the agent's configuration, especially the `serverUrl` and `apiKey` fields, is stored securely and protected from unauthorized modification. Implement strict access controls and integrity checks for configuration files. | LLM | index.ts:68 | |
| LOW | API Key Stored in Configuration The plugin requires an API key (`config.apiKey`) to be stored directly in its configuration for authentication with the NoChat server. While necessary for the plugin's functionality, this means the API key is present in plaintext or easily retrievable within the agent's configuration. If the agent's configuration is compromised, the API key will be exposed, potentially allowing unauthorized access to the NoChat account. Implement secure storage mechanisms for API keys, such as environment variables, a secrets management service, or encrypted configuration files, rather than direct plaintext storage. Ensure the host system protects access to these secrets. | LLM | index.ts:68 | |
| INFO | Truncated Code in Inbound Message Handler The `handleNoChatInbound` function, which processes incoming messages, is truncated in the provided context. This prevents a full security analysis of how inbound `encrypted_content` (which is base64 decoded) is handled. Without the complete code, it's impossible to verify that the decoded content is safely processed and does not lead to vulnerabilities like command injection or prompt injection if it were to be passed to an LLM or executed. Provide the complete source code for the `handleNoChatInbound` function to allow for a thorough security review. Ensure that any decoded inbound content is properly sanitized and validated before being used in any sensitive operations (e.g., shell commands, database queries, or direct LLM prompts). | LLM | index.ts:179 |
Scan History
Embed Code
[](https://skillshield.io/report/48baaab0a8b5b5a0)
Powered by SkillShield