Trust Assessment
monorepo-management received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 1 medium, and 2 low severity. Key findings include Unpinned `npx` command in setup example, Loosely pinned dependencies in example `package.json` files, Loosely pinned GitHub Action in CI/CD example.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 1, 2026 (commit 0818067b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned `npx` command in setup example The `npx create-turbo@latest` command uses the `@latest` tag, which means the exact version of the `create-turbo` package is not specified. This can lead to non-deterministic builds and potentially introduce vulnerabilities or breaking changes if a malicious or incompatible version is published to the npm registry. For critical setup commands, pinning to a specific version is a stronger security practice. Recommend pinning the `npx` command to a specific version, e.g., `npx create-turbo@1.10.0 my-monorepo`, or at least a major version like `npx create-turbo@1 my-monorepo`, to ensure reproducibility and mitigate supply chain risks. | LLM | SKILL.md:50 | |
| LOW | Loosely pinned dependencies in example `package.json` files The example `package.json` files (root and `packages/ui`) use caret (`^`) ranges for `devDependencies` (e.g., `"turbo": "^1.10.0"`, `"typescript": "^5.0.0"`). While common in development, this allows for automatic updates to minor and patch versions, which could introduce unexpected behavior, vulnerabilities, or breaking changes. This practice contradicts the 'Consistent Versioning' best practice mentioned later in the skill. For production-grade examples, consider recommending exact version pinning (e.g., `"1.10.0"`) or using tilde (`~`) for patch-only updates. Align the examples with the 'Consistent Versioning' best practice to enhance supply chain security and reproducibility. | LLM | SKILL.md:90 | |
| LOW | Loosely pinned GitHub Action in CI/CD example The example GitHub Actions workflow uses `changesets/action@v1`. Pinning to a major version tag means that any updates within the `v1` series will be automatically pulled. This can lead to non-deterministic CI/CD runs and potentially introduce breaking changes or vulnerabilities if a malicious update is pushed to the `v1` tag by the action maintainers. Recommend pinning GitHub Actions to a specific commit SHA or a more precise version tag (e.g., `v1.x.y`) for improved security, reproducibility, and to mitigate supply chain risks. | LLM | SKILL.md:180 |
Scan History
Embed Code
[](https://skillshield.io/report/d02b8110c50230f6)
Powered by SkillShield