Trust Assessment
wpclaw-connector received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 4 findings: 0 critical, 0 high, 2 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Potential PII exposure via `check_order` tool.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned npm dependency version Dependency 'axios' is not pinned to an exact version ('^1.6.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/magnum-opus-v1/wpclaw-lite/package.json | |
| MEDIUM | Potential PII exposure via `check_order` tool The `check_order` tool retrieves and returns customer billing information (first name, last name) from the WooCommerce store. While this is intended functionality for the skill, if the host LLM is not properly secured or instructed, this Personally Identifiable Information (PII) could be exposed to unauthorized users or used in unintended contexts, leading to a data exfiltration risk. Implement strict PII handling policies for the LLM. Consider adding a warning or explicit consent mechanism before displaying customer names. If possible, allow the tool to return a redacted version or require explicit permission for PII access. | LLM | scripts/index.js:80 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/magnum-opus-v1/wpclaw-lite/package.json | |
| LOW | Unpinned dependency `axios` in package.json The `package.json` file specifies the `axios` dependency with a caret (`^`) version range (`^1.6.0`). This allows for automatic updates to new minor and patch versions. While common, it introduces a slight supply chain risk that a malicious or buggy update to `axios` could be automatically pulled in, potentially compromising the skill. Pinning to an exact version provides more deterministic builds and reduces this specific risk. Pin the `axios` dependency to an exact version (e.g., `"axios": "1.6.0"`) to ensure deterministic builds and prevent unexpected changes from upstream updates. | LLM | package.json:6 |
Scan History
Embed Code
[](https://skillshield.io/report/0edc7d44f5bbda39)
Powered by SkillShield