Trust Assessment
vibetesting received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 7 findings: 0 critical, 0 high, 4 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/senthazalravi/vibetesting/index.js:191 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/senthazalravi/vibetesting/index.js:229 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/senthazalravi/vibetesting/SKILL.md:1 | |
| MEDIUM | Unpinned `npx` Dependency for `clawhub` in Publishing Script The `publish.sh` script uses `npx clawhub publish` without specifying a version. This means it will always fetch and execute the latest version of the `clawhub` package from npm. While this ensures updates, it also introduces a supply chain risk where a malicious or breaking change in a new `clawhub` version could be automatically executed without review, potentially compromising the publishing process or the skill itself. Pin the `clawhub` dependency to a specific version (e.g., `npx clawhub@1.2.3 publish ...`) or include `clawhub` as a `devDependency` in `package.json` with a pinned version to ensure consistent and reviewed execution. | LLM | publish.sh:58 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/senthazalravi/vibetesting/package.json | |
| LOW | Hardcoded Personal Git Configuration in Publishing Script The `publish.sh` script hardcodes a specific email and name (`ravi.antone@gmail.com`, `Senthazal Ravi`) for git configuration. If this script is run by another developer, it will overwrite their local git user configuration with these values, potentially leading to commits being attributed incorrectly or exposing the original developer's personal information in new repositories. Remove hardcoded email and name. Instruct users to configure their own git identity or use environment variables (e.g., `git config user.email "${GIT_USER_EMAIL}"`). | LLM | publish.sh:14 | |
| INFO | Misrepresentation of Browser Automation and Security Testing Capabilities The `SKILL.md` documentation describes the skill as a 'Browser Automation Testing Skill' capable of 'Functional Testing', 'UI Testing', 'Accessibility Testing', 'Performance Testing', 'Visual Regression Testing', and 'Security Testing' (including XSS scanning and form validation). However, the `index.js` implementation explicitly states that 'actual browser automation (e.g., Puppeteer, Playwright)' is a `TODO` and currently uses `fetch` for navigation. This means the skill, as implemented, cannot perform client-side browser actions, JavaScript execution, or comprehensive UI/accessibility/visual/XSS testing as advertised. This functional gap could mislead the LLM or user about the scope and reliability of the security tests performed, potentially leading to incorrect security assessments or a false sense of security. Either update the `SKILL.md` to accurately reflect the current capabilities (server-side fetching only) or implement the full browser automation functionality using libraries like Puppeteer or Playwright and list them as dependencies in `package.json`. | LLM | index.js:60 |
Scan History
Embed Code
[](https://skillshield.io/report/7ffcc63ad824b83b)
Powered by SkillShield