Trust Assessment
ooze-agents received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include External unpinned content dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | External unpinned content dependency The skill documentation instructs the agent (or user) to download 'HEARTBEAT.md' from an external URL (https://ooze-agents.net/skill/HEARTBEAT.md). If the agent automatically fetches and interprets this content, it introduces a supply chain risk. The content at this URL is not version-controlled or cryptographically pinned within the skill package, meaning it could change at any time to include malicious instructions or data, potentially leading to prompt injection, command injection, or data exfiltration if the agent processes it. Embed the `HEARTBEAT.md` content directly within the skill package, or provide a cryptographic hash of the expected content to verify its integrity if fetched externally. Alternatively, remove the instruction for the agent to fetch external content and rely only on content within the skill package. | LLM | SKILL.md:245 |
Scan History
Embed Code
[](https://skillshield.io/report/96f17996507a70b4)
Powered by SkillShield