Security Audit

abhinag007/openclaw-skill:skills/agentlink

github.com/abhinag007/openclaw-skill

AI SkillCommit d5f3750f6979

TRUSTED

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

abhinag007/openclaw-skill:skills/agentlink received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Insecure Credential Handling and Storage, Unsafe Shell Command Execution.

The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 8, 2026 (commit d5f3750f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Insecure Credential Handling and Storage The skill documentation instructs the agent to accept a server-generated cryptocurrency private key ('secret_key') and store it in plaintext on the local filesystem. Server-side key generation compromises the wallet security immediately (the server knows the key), and plaintext storage exposes the key to local theft. Do not use server-generated private keys. Generate keys locally and only sign transactions locally. Store keys in a secure vault or encrypted keystore, not plaintext JSON files.	Unknown	SKILL.md:55
MEDIUM	Unsafe Shell Command Execution The documentation provides complex shell commands using `python3 -c` with inline code to process private keys. If an agent executes this with malformed or malicious input substituted for 'YOUR_SECRET_KEY', it could lead to arbitrary code execution. Additionally, it writes sensitive key material to `/tmp`, which is often insecure. Avoid inline python execution via shell. Use a dedicated script file or a secure library for key management. Do not write sensitive keys to temporary directories.	Unknown	SKILL.md:130

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/8b9bff96a377e700.svg)](https://skillshield.io/report/8b9bff96a377e700)