Trust Assessment
plane received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned CLI script downloaded from raw GitHub URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned CLI script downloaded from raw GitHub URL The `plane` CLI script is downloaded directly from `https://raw.githubusercontent.com/JinkoLLC/plane-skill/main/scripts/plane` without any version pinning (e.g., commit hash or specific release tag). This vulnerability is present in both the skill's manifest installation instructions and the `SKILL.md` documentation. This means the content of the script can change at any time, potentially introducing malicious code that would be executed on the host system when the skill is installed or updated, leading to a supply chain compromise. Pin the dependency to a specific commit hash or release tag. For example, use `https://raw.githubusercontent.com/JinkoLLC/plane-skill/<commit_hash>/scripts/plane` or download from a release asset. Implement checksum verification for the downloaded script to ensure integrity. | LLM | SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/3ea087422295a875)
Powered by SkillShield