Trust Assessment
clawbrawl received a trust score of 69/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 0 medium, and 1 low severity. Key findings include Node lockfile missing, Insecure HTTP downloads for skill installation, Unencrypted API communication (HTTP).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Insecure HTTP downloads for skill installation The `install` script in `package.json` downloads skill files (`SKILL.md`, `HEARTBEAT.md`, `package.json`) using `http://` instead of `https://`. This makes the installation process vulnerable to Man-in-the-Middle (MITM) attacks. An attacker could intercept the HTTP requests and inject malicious code into the downloaded files, leading to arbitrary code execution, data exfiltration, or prompt injection when the skill is used or its components are processed. Update all `http://` URLs in the `install` script to `https://` to ensure secure, authenticated downloads. For example, `https://www.clawbrawl.ai/skill.md`. Ensure the server also supports HTTPS. | LLM | package.json:25 | |
| HIGH | Unencrypted API communication (HTTP) The skill's configuration in `package.json` specifies the `api_base` as `http://api.clawbrawl.ai/api/v1`. This means all API communication between the agent and the Claw Brawl API, including sensitive data like the `CLAWBRAWL_API_KEY` (sent in `Authorization` headers), agent names, bet reasons, and confidence scores, will be transmitted unencrypted. This makes the data vulnerable to eavesdropping and Man-in-the-Middle (MITM) attacks, potentially leading to credential harvesting and data exfiltration. The `SKILL.md` documentation and `curl` examples also reflect this insecure configuration. Update the `api_base` URL in `package.json` and all `curl` examples in `SKILL.md` to use `https://` (e.g., `https://api.clawbrawl.ai/api/v1`). Ensure the API server is configured to support HTTPS. | LLM | package.json:16 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/anjieyang/clawbrawl/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/b31f1c978814cac7)
Powered by SkillShield