Trust Assessment
uid_node received a trust score of 59/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 1 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Private Key Stored Unencrypted on Filesystem.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Private Key Stored Unencrypted on Filesystem The skill generates an Ed25519 key pair during registration and stores the private key unencrypted in the '.identity.json' file. This file is located in the skill's working directory. Storing private keys directly on the filesystem without encryption poses a critical security risk, as any other process or attacker gaining access to the filesystem could compromise the agent's identity and associated accounts. Private keys should never be stored unencrypted on disk. Consider using secure key storage mechanisms provided by the host environment, requiring a user-provided passphrase for encryption, or re-authenticating the agent on each startup without persisting the private key locally. If local persistence is unavoidable, implement robust encryption for the private key. | LLM | lib/api.js:64 | |
| MEDIUM | Unpinned npm dependency version Dependency 'node-fetch' is not pinned to an exact version ('^2.6.7'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/koolninad/uid-life/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/koolninad/uid-life/package.json | |
| LOW | Unpinned Dependency Version The 'package.json' file specifies 'node-fetch' with a caret (^) range ('^2.6.7'). This allows for automatic updates to new minor and patch versions. While convenient, this practice can introduce unexpected changes, vulnerabilities, or breaking behavior if a malicious update were to be published or if a new version contains an undiscovered vulnerability. Best practice for security-sensitive applications is to pin exact dependency versions. Pin the exact version of 'node-fetch' (e.g., '"node-fetch": "2.6.7"') to ensure deterministic builds and prevent unexpected updates. Use a lock file (e.g., 'package-lock.json') to manage dependency versions, and regularly audit dependencies for known vulnerabilities. | LLM | package.json:6 |
Scan History
Embed Code
[](https://skillshield.io/report/9a74958c68069cac)
Powered by SkillShield