Trust Assessment
yclawker-news received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency execution during installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency execution during installation The skill's installation instructions use `npx molthub@latest install yclawker-news`. The `@latest` tag means the `molthub` package is unpinned, allowing for arbitrary code execution if a malicious version of `molthub` or `yclawker-news` is published. This introduces a significant supply chain risk during the skill's installation process. Pin the version of `molthub` (e.g., `npx molthub@1.2.3 install yclawker-news`) and ensure the `yclawker-news` package itself is from a trusted source and ideally also version-pinned or cryptographically verified. | LLM | skill.md:18 |
Scan History
Embed Code
[](https://skillshield.io/report/b6bd5c3241d0a950)
Powered by SkillShield