Security Audit

abhinag007/openclaw-skill:skills/agentlink

github.com/abhinag007/openclaw-skill

AI SkillCommit d5f3750f6979

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

abhinag007/openclaw-skill:skills/agentlink received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Insecure Credential Handling and Storage, Unsafe Shell Command Execution.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 8, 2026 (commit d5f3750f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Insecure Credential Handling and Storage The skill documentation instructs the agent to accept a server-generated cryptocurrency private key ('secret_key') and store it in plaintext on the local filesystem. Server-side key generation compromises the wallet security immediately (the server knows the key), and plaintext storage exposes the key to local theft. Do not use server-generated private keys. Generate keys locally and only sign transactions locally. Store keys in a secure vault or encrypted keystore, not plaintext JSON files.	LLM	SKILL.md:55
MEDIUM	Unsafe Shell Command Execution The documentation provides complex shell commands using `python3 -c` with inline code to process private keys. If an agent executes this with malformed or malicious input substituted for 'YOUR_SECRET_KEY', it could lead to arbitrary code execution. Additionally, it writes sensitive key material to `/tmp`, which is often insecure. Avoid inline python execution via shell. Use a dedicated script file or a secure library for key management. Do not write sensitive keys to temporary directories.	LLM	SKILL.md:130

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/8b9bff96a377e700.svg)](https://skillshield.io/report/8b9bff96a377e700)