Security Audit

app-store-screenshots

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

app-store-screenshots received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned remote script execution in Quick Start, Unpinned external skill dependencies.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unpinned remote script execution in Quick Start The skill's 'Quick Start' section instructs users to download and execute a script directly from a remote URL (`https://cli.inference.sh`) via `curl \| sh`. This method is highly susceptible to supply chain attacks, as a compromise of the remote server or script could lead to arbitrary code execution on the user's system. The script is not pinned to a specific version or hash, making it vulnerable to changes over time without user review. Avoid piping remote scripts directly to `sh`. Instead, recommend downloading the script, reviewing it, and then executing it, or using a package manager with integrity checks. Pin to specific versions or hashes to ensure script integrity.	LLM	SKILL.md:10
MEDIUM	Unpinned external skill dependencies The 'Related Skills' section recommends adding external skills using `npx skills add inferencesh/skills@<skill-name>`. These commands do not specify a version or commit hash for the external skills, making them vulnerable to supply chain attacks. If the `inferencesh/skills` repository or the `npx` registry were compromised, users could inadvertently install malicious or altered skills. Always pin external dependencies to specific versions, commit hashes, or use a lock file mechanism to ensure reproducibility and prevent unexpected changes from upstream. For `npx skills add`, specify a version like `inferencesh/skills@ai-image-generation@1.2.3`.	LLM	SKILL.md:190

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/e4d5c2c8c8f9c0c5.svg)](https://skillshield.io/report/e4d5c2c8c8f9c0c5)