Security Audit

chia-walletconnect

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

chia-walletconnect received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Open CORS Policy on API Endpoints, Outdated Dependency: node-fetch.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

93%

LLM Behavioral Safety

91%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

1 finding

Security Findings3

Severity	Finding	Layer	Location
MEDIUM	Unpinned npm dependency version Dependency '@walletconnect/sign-client' is not pinned to an exact version ('^2.11.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/koba42corp/chia-walletconnect/package.json
MEDIUM	Open CORS Policy on API Endpoints The Express server uses `cors()` without specifying allowed origins, effectively enabling Cross-Origin Resource Sharing (CORS) for all domains. This allows any website to make requests to the `/api/verify` and `/api/status/:userId` endpoints. While the verification process itself relies on cryptographic signatures, an open CORS policy can expose the API to potential abuse, such as denial-of-service attacks, or allow malicious sites to probe for user verification status if `userId`s are guessable. The skill's own `SKILL.md` documentation advises against this in its 'Production Checklist' by stating 'Enable CORS only for your domain'. Configure the `cors` middleware to restrict access to only trusted origins. For example, `app.use(cors({ origin: 'https://your-app.vercel.app' }))` or dynamically based on a whitelist of allowed domains.	LLM	server/index.js:10
LOW	Outdated Dependency: node-fetch The `package.json` and `package-lock.json` specify `node-fetch` version `^2.6.7`. This is an older version of the `node-fetch` library (released in 2021). While no critical vulnerabilities directly exploitable in this skill's context are immediately apparent, older dependencies may contain known security flaws or lack important security patches present in newer versions. It is a general best practice to keep dependencies updated to their latest stable versions to benefit from security fixes and improvements. Update `node-fetch` to its latest stable version (e.g., `^2.7.0` for v2, or consider migrating to v3.x if compatible) to ensure all known security patches are applied. Run `npm update node-fetch` and review any breaking changes.	LLM	package.json:26

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/392f3445f482f72e.svg)](https://skillshield.io/report/392f3445f482f72e)