Trust Assessment
weather-pollen received a trust score of 74/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 1 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Prompt Injection via unsanitized location argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Prompt Injection via unsanitized location argument The 'location' argument, which is user-controlled via the tool's schema, is directly embedded into the skill's output string without sanitization. An attacker could inject markdown or other LLM-interpretable instructions into the 'location' field, potentially manipulating the host LLM's behavior or extracting sensitive information. Sanitize the 'location' string before embedding it into the output. This can involve stripping markdown, escaping special characters, or explicitly instructing the LLM to treat the output as literal text. For example, enclose the user-provided location in a code block or a specific tag that the LLM is instructed to ignore for command interpretation. | LLM | logic.ts:136 | |
| MEDIUM | Unpinned npm dependency version Dependency 'zod' is not pinned to an exact version ('^4.3.5'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/thesethrose/weather-pollen/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/thesethrose/weather-pollen/package.json | |
| LOW | Unused binary dependency declared The skill's manifest declares a requirement for the 'curl' binary, but the provided 'logic.ts' code does not appear to use 'curl' for any operations, instead relying on the native 'fetch' API. Declaring unnecessary binary dependencies can lead to excessive permissions being granted to the skill, increasing its attack surface if a vulnerability were to be discovered in the unused binary or if the skill's code were later modified to use it insecurely. Remove the 'curl' entry from the 'bins' requirement in the skill's manifest if it is not genuinely used by the skill's logic. Only declare dependencies that are strictly necessary for the skill's functionality. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/536cd68963c2ace0)
Powered by SkillShield