Trust Assessment
skills-search received a trust score of 52/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 0 medium, and 1 low severity. Key findings include Malicious install hooks, Sensitive path access: AI agent config, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Malicious install hooks Python setup.py with suspicious imports Review all lifecycle scripts carefully. Remove install hooks that make network requests, execute shell commands, or access environment variables. Use --ignore-scripts for npm installs when possible. | Manifest | skills/thesethrose/skills-search/cli.js:33 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/thesethrose/skills-search/SKILL.md:90 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/thesethrose/skills-search/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/6c3dd68795d14f08)
Powered by SkillShield