Trust Assessment
rsbuild-v2-upgrade received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Execution of unpinned external tool via npx.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 76880945). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Execution of unpinned external tool via npx The skill instructs the agent to execute `npx taze major --include /rsbuild/ -w -r`. `npx` downloads and runs the latest version of the `taze` package from npm. This introduces a supply chain risk, as a compromised or malicious version of `taze` could be executed without explicit version pinning or prior vetting. If the `taze` package were to be compromised, this skill would execute the malicious code. Pin the version of `taze` when executing via `npx` (e.g., `npx taze@x.y.z ...`) to mitigate supply chain risks. Alternatively, consider adding `taze` as a dev dependency to the project's `package.json` with a pinned version and then executing it via `npm exec taze` or `yarn taze`. | Static | SKILL.md:24 |
Scan History
Embed Code
[](https://skillshield.io/report/0504661890a922fe)
Powered by SkillShield