Trust Assessment
perf-astro received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned dependencies in installation instructions.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit f4b5c7d6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned dependencies in installation instructions The skill recommends installing `astro-critters` and `@playform/compress` using `npm install` without specifying exact versions. This practice can lead to supply chain vulnerabilities, as future versions of these packages might introduce breaking changes, security flaws, or even malicious code. It's best practice to pin dependencies to specific versions or use version ranges with care to ensure reproducibility and mitigate risks from unexpected updates. Recommend pinning package versions (e.g., `npm install astro-critters@1.0.0 @playform/compress@2.0.0`) or using a lock file (like `package-lock.json` or `yarn.lock`) to ensure deterministic installations. | Unknown | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/580849d7ec44329f)
Powered by SkillShield