Trust Assessment
nodejs-backend received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Broad 'Bash' permission granted.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad 'Bash' permission granted The skill's manifest declares 'Bash' as an allowed tool. This grants the AI agent the ability to execute arbitrary shell commands on the host system. While a backend development agent might require some CLI operations (e.g., `npm install`, `npx prisma migrate`), unrestricted 'Bash' access is a powerful permission that could be exploited for command injection, data exfiltration, or system compromise if the agent is manipulated. This permission allows the agent to interact with the underlying operating system, potentially leading to unauthorized actions. Restrict Bash access to a minimal set of necessary commands, or use a more granular tool that provides specific CLI functionalities without full shell access. If full Bash access is unavoidable, ensure robust sandboxing and strict input validation for any commands generated by the agent. Consider if a more specific tool (e.g., a 'package_manager' tool) could replace general 'Bash' access for common operations. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/0ebdb186ff59179c)
Powered by SkillShield