Trust Assessment
things-mac received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned Dependency in Skill Installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Dependency in Skill Installation The skill's manifest specifies `github.com/ossianhempel/things3-cli/cmd/things@latest` for installation. Using `@latest` means the skill will always fetch the most recent version of the dependency without a specific version pin. This introduces a supply chain risk, as a malicious update to the upstream repository could automatically introduce vulnerabilities into the skill's environment without review. Pin the dependency to a specific, immutable version (e.g., a commit hash or a semantic version tag like `@v1.2.3`) instead of `@latest`. Regularly review and update the pinned version to incorporate necessary security patches and features. | Static | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/ca2205e2b4d32f41)
Powered by SkillShield