Security Audit

ubs

github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrations

AI SkillCommit c7bd8e0f6900

CAUTION

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

ubs received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Installation script sourced from unverified or mismatched GitHub repository.

The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

70%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Security Findings1

Severity	Finding	Layer	Location
CRITICAL	Installation script sourced from unverified or mismatched GitHub repository The skill package is hosted on `https://github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrations`, but the recommended installation method instructs users to fetch and execute a script from `https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/master/install.sh`. This discrepancy indicates that the software being installed originates from a different, unverified source than the skill itself. This poses a significant supply chain risk, as the content of the `install.sh` script is not controlled by the `Mrc220` repository owner. Furthermore, fetching from the `master` branch means the script's content can change at any time without explicit review, increasing the risk of introducing malicious code or vulnerabilities. 1. Verify Source: Ensure the `install.sh` script is hosted within the `Mrc220/agent_flywheel_clawdbot_skills_and_integrations` repository or a clearly documented and trusted source. If an external source is intended, explicitly document the trust relationship and rationale. 2. Pin Version: Update the installation command to fetch the script from a specific commit hash or a version tag (e.g., `v1.2.3`) instead of the mutable `master` branch to ensure stability and prevent unexpected changes. 3. Review Script: Provide the content of the `install.sh` script for review within the skill package or ensure it's thoroughly audited before recommending direct execution. 4. Local Installation: Consider recommending a local installation method that doesn't involve direct piping to `bash` from an unreviewed remote script.	Unknown	SKILL.md:239

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a22bc825283e6b11.svg)](https://skillshield.io/report/a22bc825283e6b11)