Trust Assessment
sonoscli received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned Go dependency in installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Go dependency in installation The skill's installation manifest uses `go install` with `@latest` for the `sonoscli` module. This means the exact version of the dependency is not pinned, making the skill vulnerable to supply chain attacks if the upstream repository `github.com/steipete/sonoscli` is compromised or introduces breaking/malicious changes. An attacker could inject malicious code into the `latest` version, which would then be installed and executed by the skill. Pin the Go module to a specific, immutable version (e.g., a commit hash or a semantic version tag like `@v1.2.3`) instead of `@latest`. Regularly review and update the pinned version to incorporate security fixes. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/8df7f54f1d81ea3c)
Powered by SkillShield