Security Audit
pskoett/pskoett-ai-skills:skills/simplify-and-harden-ci
github.com/pskoett/pskoett-ai-skillsTrust Assessment
pskoett/pskoett-ai-skills:skills/simplify-and-harden-ci received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned GitHub Action dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 3, 2026 (commit 3b2f47cc). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned GitHub Action dependency The recommended GitHub Action `github/gh-aw/actions/setup-cli@main` uses the `main` branch, which is not pinned to a specific commit SHA or version tag. This introduces a supply chain risk, as changes to the `main` branch could be introduced without explicit review, potentially leading to unexpected behavior or malicious code execution in the CI pipeline. Pin the GitHub Action to a specific commit SHA or a version tag (e.g., `v0.2.0-beta` if that's the intended version, or a specific SHA) instead of the `main` branch. For example, `uses: github/gh-aw/actions/setup-cli@v0.2.0-beta` or `uses: github/gh-aw/actions/setup-cli@<commit_sha>`. | Static | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/1beae7a72978dfa6)
Powered by SkillShield