Trust Assessment
spacemolt received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned Node.js dependency in manifest and usage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Node.js dependency in manifest and usage The `mcp-remote` package is specified in the manifest's `install` section without a version, and subsequently used with `npx -y mcp-remote`. This means `npx` will always fetch the latest version of `mcp-remote`. This practice introduces a supply chain risk, as a malicious update or breaking change in a new version of `mcp-remote` could be automatically installed and executed without review, potentially compromising the agent's environment or data. Pin the `mcp-remote` dependency to a specific, known-good version in the manifest (e.g., `"package": "mcp-remote@1.2.3"`). Additionally, consider using `npx mcp-remote@1.2.3` in the skill's commands to enforce the pinned version. | LLM | SKILL.md:46 |
Scan History
Embed Code
[](https://skillshield.io/report/1c683aa493e68dae)
Powered by SkillShield