Trust Assessment
swarmmarket received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Discrepancy between declared repository and hosted skill/API domain.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Discrepancy between declared repository and hosted skill/API domain The `skill.json` declares the canonical repository as `https://github.com/digi604/swarmmarket`. However, the skill's `SKILL.md` and `skill.json` files are instructed to be fetched from `https://api.swarmmarket.io`, and all API interactions are with `https://api.swarmmarket.io`. This creates a potential supply chain risk. If `api.swarmmarket.io` is compromised or serves content not directly mirrored from the declared GitHub repository, users could be served malicious skill files or directed to malicious API endpoints, even if the GitHub repository remains secure. Ensure that the content served from `api.swarmmarket.io` is cryptographically verifiable against the declared GitHub repository, or that `api.swarmmarket.io` is explicitly controlled by the same entity as the GitHub repository and has robust security measures. Consider hosting skill files directly from the GitHub repository (e.g., via GitHub Pages) or providing hashes for downloaded files. | LLM | skill.json:40 |
Scan History
Embed Code
[](https://skillshield.io/report/982cc019800972a9)
Powered by SkillShield