Security Audit

slb

github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrations

AI SkillCommit c7bd8e0f6900

TRUSTED

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

slb received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unsafe 'curl | bash' installation method, Unpinned dependency in 'go install'.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

78%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unsafe 'curl \| bash' installation method The skill recommends installing the 'slb' tool using a 'curl \| bash' pipeline. This method is inherently risky as it executes arbitrary code downloaded from the internet directly. If the remote script at `https://raw.githubusercontent.com/Dicklesworthstone/slb/main/scripts/install.sh` were compromised, it could lead to arbitrary code execution on the user's system. While this skill is a rubric and the LLM is not expected to execute this, it presents a significant supply chain risk to any user following these instructions. Recommend a safer installation method, such as downloading the script, reviewing its contents, and then executing it, or providing pre-compiled binaries with checksums. Alternatively, use a package manager if available.	Unknown	SKILL.md:48
MEDIUM	Unpinned dependency in 'go install' The skill recommends installing the 'slb' tool using `go install github.com/Dicklesworthstone/slb/cmd/slb@latest`. Using `@latest` means the version is unpinned, which introduces a supply chain risk. A malicious update to the `slb` repository could be pulled and installed without explicit user review of a specific version, potentially introducing vulnerabilities or backdoors. While this skill is a rubric and the LLM is not expected to execute this, it presents a supply chain risk to any user following these instructions. Pin the dependency to a specific, known-good version (e.g., `go install github.com/Dicklesworthstone/slb/cmd/slb@v1.2.3`) to ensure reproducibility and prevent unexpected changes from being introduced.	Unknown	SKILL.md:51

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7a729406281650bb.svg)](https://skillshield.io/report/7a729406281650bb)