Security Audit

agentarcade

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

agentarcade received a trust score of 42/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Hardcoded Bearer Token detected, Untrusted instruction in Heartbeat Integration.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

70%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings3

Severity	Finding	Layer	Location
CRITICAL	Untrusted instruction in Heartbeat Integration The skill documentation contains a direct instruction `Read skills/agentarcade/HEARTBEAT.md and follow it.` within the untrusted input block. If the host LLM processes this as an instruction, it constitutes a prompt injection attempt, compelling the LLM to execute commands or read files based on untrusted content. This violates the principle of treating all content within the untrusted delimiters as data, not instructions. Remove direct instructions intended for the host LLM from untrusted content. Rephrase as descriptive text (e.g., 'The `HEARTBEAT.md` file contains instructions for periodic checks.') or move such instructions outside the untrusted block if they are truly meant for the LLM.	LLM	SKILL.md:52
HIGH	Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference.	Static	skills/shawnlewis/agent-arcade/SKILL.md:30
HIGH	Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference.	Static	skills/shawnlewis/agent-arcade/SKILL.md:37

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b4457118aff7c0c2.svg)](https://skillshield.io/report/b4457118aff7c0c2)