Trust Assessment
qmd received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Misleading homepage URL in manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Misleading homepage URL in manifest The 'homepage' field in the skill's manifest (`https://tobi.lutke.com`) appears to be a typosquat or an attempt to falsely associate the skill with a well-known individual (Tobi Lütke, CEO of Shopify). This can mislead users about the origin and trustworthiness of the skill. While the 'package' URL points to a GitHub repository, the misleading homepage raises concerns about the project's legitimacy and intent. Correct the 'homepage' URL to the actual, legitimate project homepage, or remove it if no official homepage exists. Ensure all URLs accurately reflect the project's origin and do not attempt to impersonate or mislead. | LLM | SKILL.md:3 |
Scan History
Embed Code
[](https://skillshield.io/report/17f7e48030a90a75)
Powered by SkillShield