Trust Assessment
rspress-v2-upgrade received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Direct shell command execution and unpinned dependency.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 46637d3c). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct shell command execution and unpinned dependency The skill instructs the agent to execute a shell command: `npx taze major --include /rspress/ -w -r`. This directly invokes an external process, which is a command injection vector. While the arguments are hardcoded in this instance, the use of `npx` also introduces a supply chain risk as it fetches and executes an unpinned third-party package (`taze`) from the npm registry. A compromised `taze` package or npm registry could lead to arbitrary code execution on the host system. The lack of a pinned version for `taze` means that any future malicious update to the `taze` package would automatically be executed. 1. Avoid direct shell command execution where possible. If necessary, ensure commands are fully sandboxed or executed in a highly restricted environment. 2. Pin the version of `taze` (e.g., `npx taze@x.y.z ...`) to mitigate risks from future malicious updates or breaking changes. 3. Consider using a more controlled dependency update mechanism if available within the agent's capabilities, rather than a generic CLI tool. | Unknown | SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/642bc80079d9e91a)
Powered by SkillShield