Trust Assessment
snapshot-writer received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Execution of unvetted external `npx` package.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Execution of unvetted external `npx` package The skill instructs users to execute `npx ai-snapshot-test` as part of its 'Quick Start' and 'Usage Examples'. `npx` directly downloads and runs packages from the npm registry. If the `ai-snapshot-test` package (from 'LXGIC Studios') is compromised, malicious, or a typosquat, executing this command could lead to arbitrary code execution on the user's system. The skill promotes an external package which may not have undergone the same level of security vetting as official or widely adopted tools, posing a supply chain risk to the user. Recommend specifying a version for `ai-snapshot-test` (e.g., `npx ai-snapshot-test@1.0.0`) to mitigate risks from future compromises of the latest version. Advise users to audit the `ai-snapshot-test` package source code before execution or use a more established and vetted alternative. For the skill author, consider providing a link to the package's source code or a security audit report. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/30d65eb935927800)
Powered by SkillShield