Trust Assessment
tides received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Reliance on external third-party API, User-provided data transmitted to external service, Non-standard "Basic" authentication token handling.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Reliance on external third-party API The skill's core functionality is entirely dependent on an external JSON-RPC API hosted at `https://hamandmore.net`. This introduces a supply chain risk, as the security, availability, and behavior of this third-party service are outside the control of the skill package. A compromise or malicious change to the external service could directly impact the skill's operation and data handling. Document the third-party dependency and its associated risks. For critical applications, consider implementing mechanisms to verify the integrity or expected behavior of the external service, or explore options for using more trusted providers or self-hosting. | LLM | SKILL.md:12 | |
| MEDIUM | Non-standard "Basic" authentication token handling The skill documentation specifies that `Authorization: Basic <token>` is used with an "opaque token prefix, not RFC Basic base64 decoding" and that "Tokens do not need to be valid base64." This deviates from the standard RFC 7617 Basic Authentication scheme, which typically involves base64 encoding. This non-standard approach could indicate a custom or less robust authentication mechanism on the server side, potentially increasing the risk of token mishandling or misinterpretation compared to widely adopted standards. Clarify the exact security properties and implementation details of the non-standard "Basic" token handling. If possible, align with standard authentication protocols (e.g., OAuth2, standard Basic Auth) to leverage well-understood security practices and tooling. | LLM | SKILL.md:29 | |
| LOW | User-provided data transmitted to external service The skill's design involves transmitting user-provided data, such as geographical coordinates (latitude, longitude), timestamps, and requested variables, directly to the external API at `https://hamandmore.net`. While this is the intended function of the skill, it means that this potentially sensitive user data is sent to a third-party service, which could have privacy implications depending on the data's nature and the service's policies. Clearly inform users about the specific types of data being sent to the external service and provide links to its privacy policy. Implementations using this skill should ensure user consent is obtained before transmitting potentially sensitive information. | LLM | SKILL.md:70 |
Scan History
Embed Code
[](https://skillshield.io/report/962940bc15c1cf22)
Powered by SkillShield