Trust Assessment
test-runner received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 0 high, 5 medium, and 0 low severity. Key findings include Missing required field: name, Unpinned npm dependencies in installation command, Unpinned Python dependencies in installation command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/cmanfre7/test-runner/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependencies in installation command The skill documentation suggests installing npm packages without specifying exact versions. This can lead to non-deterministic builds, compatibility issues, or the unintentional inclusion of vulnerable or malicious package versions if a dependency is compromised or updated with breaking changes. It's best practice to pin dependencies to specific versions. Pin package versions (e.g., `npm install -D vitest@1.0.0 @testing-library/react@13.0.0 @testing-library/jest-dom@5.0.0`). Use `package-lock.json` or `yarn.lock` to ensure deterministic installs. | LLM | SKILL.md:20 | |
| MEDIUM | Unpinned npm dependencies in installation command The skill documentation suggests installing npm packages without specifying exact versions. This can lead to non-deterministic builds, compatibility issues, or the unintentional inclusion of vulnerable or malicious package versions if a dependency is compromised or updated with breaking changes. It's best practice to pin dependencies to specific versions. Pin package versions (e.g., `npm install -D jest@29.0.0 @types/jest@29.0.0 ts-jest@29.0.0`). Use `package-lock.json` or `yarn.lock` to ensure deterministic installs. | LLM | SKILL.md:33 | |
| MEDIUM | Unpinned Python dependencies in installation command The skill documentation suggests installing Python packages without specifying exact versions. This can lead to non-deterministic builds, compatibility issues, or the unintentional inclusion of vulnerable or malicious package versions if a dependency is compromised or updated with breaking changes. It's best practice to pin dependencies to specific versions. Pin package versions (e.g., `uv pip install pytest==7.0.0 pytest-cov==4.0.0 pytest-asyncio==0.21.0 httpx==0.24.0`). Use a `requirements.txt` file with pinned versions for production. | LLM | SKILL.md:46 | |
| MEDIUM | Unpinned npm dependencies in installation command The skill documentation suggests installing npm packages without specifying exact versions. This can lead to non-deterministic builds, compatibility issues, or the unintentional inclusion of vulnerable or malicious package versions if a dependency is compromised or updated with breaking changes. It's best practice to pin dependencies to specific versions. Pin package versions (e.g., `npm install -D @playwright/test@1.30.0`). Use `package-lock.json` or `yarn.lock` to ensure deterministic installs. | LLM | SKILL.md:63 |
Scan History
Embed Code
[](https://skillshield.io/report/5eb5678a70559e65)
Powered by SkillShield