Trust Assessment
dbos-golang received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency in `go get` command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency in `go get` command The `go get` command uses `@latest` to fetch the `dbos-transact-golang` module. This means the dependency version is not pinned, which can lead to non-deterministic builds and introduces a supply chain risk. A malicious update to the upstream repository could automatically be pulled into the project without explicit review, potentially introducing vulnerabilities or backdoors. Pin the dependency to a specific version or commit hash (e.g., `go get github.com/dbos-inc/dbos-transact-golang/dbos@v1.2.3` or `go get github.com/dbos-inc/dbos-transact-golang/dbos@<commit_hash>`) to ensure deterministic builds and mitigate supply chain risks from unexpected upstream changes. | LLM | SKILL.md:48 |
Scan History
Embed Code
[](https://skillshield.io/report/32ab42ff11c180c4)
Powered by SkillShield