Security Audit

ubs

github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrations

AI SkillCommit c7bd8e0f6900

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

ubs received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Installation script sourced from unverified or mismatched GitHub repository.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

70%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Security Findings1

Severity	Finding	Layer	Location
CRITICAL	Installation script sourced from unverified or mismatched GitHub repository The skill package is hosted on `https://github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrations`, but the recommended installation method instructs users to fetch and execute a script from `https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/master/install.sh`. This discrepancy indicates that the software being installed originates from a different, unverified source than the skill itself. This poses a significant supply chain risk, as the content of the `install.sh` script is not controlled by the `Mrc220` repository owner. Furthermore, fetching from the `master` branch means the script's content can change at any time without explicit review, increasing the risk of introducing malicious code or vulnerabilities. 1. Verify Source: Ensure the `install.sh` script is hosted within the `Mrc220/agent_flywheel_clawdbot_skills_and_integrations` repository or a clearly documented and trusted source. If an external source is intended, explicitly document the trust relationship and rationale. 2. Pin Version: Update the installation command to fetch the script from a specific commit hash or a version tag (e.g., `v1.2.3`) instead of the mutable `master` branch to ensure stability and prevent unexpected changes. 3. Review Script: Provide the content of the `install.sh` script for review within the skill package or ensure it's thoroughly audited before recommending direct execution. 4. Local Installation: Consider recommending a local installation method that doesn't involve direct piping to `bash` from an unreviewed remote script.	Static	SKILL.md:239

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a22bc825283e6b11.svg)](https://skillshield.io/report/a22bc825283e6b11)