Trust Assessment
Uncle Matt received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned external dependency for core security components.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external dependency for core security components The skill explicitly states that it relies on an external GitHub repository (`https://github.com/uncmatteth/UNCLEMATTCLAWBOT`) for its core functionality, including the Broker and installer scripts. The skill package itself is incomplete without this dependency. There is no mechanism described to pin the version of this external repository (e.g., a specific commit hash or tag), meaning that changes to the upstream repository could introduce vulnerabilities or malicious code without the skill package being updated or reviewed. This poses a significant supply chain risk, as the integrity of the entire security model (Broker, allowlists, secret management) is dependent on the trustworthiness and immutability of this external source. Implement a mechanism to pin the version of the external `UNCLEMATTCLAWBOT` repository (e.g., by referencing a specific commit hash, tag, or using a vendoring approach). Ensure that the skill's installation process verifies the integrity of the downloaded external components. | LLM | SKILL.md:62 |
Scan History
Embed Code
[](https://skillshield.io/report/8ba0dab8a1169012)
Powered by SkillShield