Trust Assessment
pamela-calls received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 1 medium, and 2 low severity. Key findings include Unpinned Dependencies in Installation Instructions, Hardcoded API Key in JavaScript Code Example, Hardcoded API Key in Python Code Example.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Dependencies in Installation Instructions The installation instructions for JavaScript, Python, and CLI tools use unpinned dependencies (e.g., `npm install @thisispamela/sdk`). This can lead to non-deterministic builds, unexpected breaking changes, or the introduction of vulnerabilities if a new version of a dependency contains malicious code or security flaws. It's best practice to pin dependencies to specific versions or use lock files to ensure deterministic and secure builds. Update installation instructions to recommend pinning dependencies to specific versions (e.g., `npm install @thisispamela/sdk@^1.0.0` or `@thisispamela/sdk@1.0.0`) and using lock files (package-lock.json, yarn.lock, requirements.txt) for deterministic builds. | LLM | SKILL.md:26 | |
| LOW | Hardcoded API Key in JavaScript Code Example The provided JavaScript code example demonstrates hardcoding the API key directly in the source code (e.g., `apiKey: 'pk_live_...'`). While this is an example, this practice can lead to sensitive credentials being exposed if copied into production code or public repositories. API keys should be loaded securely from environment variables, a secrets management service, or a configuration file that is not committed to version control. Update the JavaScript example to show secure loading of API keys, e.g., from environment variables, instead of hardcoding them. | LLM | SKILL.md:50 | |
| LOW | Hardcoded API Key in Python Code Example The provided Python code example demonstrates hardcoding the API key directly in the source code (e.g., `api_key="pk_live_..."`). While this is an example, this practice can lead to sensitive credentials being exposed if copied into production code or public repositories. API keys should be loaded securely from environment variables, a secrets management service, or a configuration file that is not committed to version control. Update the Python example to show secure loading of API keys, e.g., from environment variables, instead of hardcoding them. | LLM | SKILL.md:62 |
Scan History
Embed Code
[](https://skillshield.io/report/ad67c8ec965c4946)
Powered by SkillShield