Trust Assessment
skill-reviewer received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency in recommended command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency in recommended command The skill recommends executing `npx molthub@latest install skill-name`. Using `@latest` for `molthub` means the exact version is not pinned. This introduces a supply chain risk, as a malicious update to the `molthub` package could be automatically pulled and executed without explicit review, potentially leading to arbitrary code execution on the agent's system. Pin the version of `molthub` to a specific, known-good version (e.g., `npx molthub@1.2.3 install skill-name`) to prevent unexpected or malicious updates. Alternatively, provide instructions for verifying the package before installation. | LLM | SKILL.md:290 |
Scan History
Embed Code
[](https://skillshield.io/report/d95de55423e6cb04)
Powered by SkillShield