Trust Assessment
clawdaddy received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 3 high, 0 medium, and 0 low severity. Key findings include Hardcoded Bearer Token detected, Insecure instruction for handling sensitive management token.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/gregm711/agentdomainservice/SKILL.md:184 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/gregm711/agentdomainservice/SKILL.md:196 | |
| HIGH | Insecure instruction for handling sensitive management token The skill, provided as untrusted content, explicitly instructs the LLM agent to "Save the `managementToken` immediately!" after a successful domain purchase. This instruction, originating from untrusted input, directs the agent to handle a highly sensitive credential without specifying secure storage mechanisms. LLM agents often lack inherent secure secret management, and following such an instruction could lead to the `managementToken` being stored in insecure locations (e.g., conversational memory, unencrypted logs, or exposed variables), making it vulnerable to exfiltration or unauthorized access. A compromised `managementToken` grants full control over the registered domain. Instruct the LLM to store the `managementToken` in a secure, ephemeral, and encrypted secret store, not in conversational memory or logs. Provide clear guidelines on how the agent should handle and protect this sensitive credential, emphasizing that it should not be exposed to users or stored persistently without encryption. Consider using a secure vault or environment variable mechanism for token storage, and ensure the agent is designed to interact with such mechanisms securely. For human-facing interactions, prompt the user to store the token securely themselves, rather than the agent. | LLM | SKILL.md:138 |
Scan History
Embed Code
[](https://skillshield.io/report/031ca506ac5f4c83)
Powered by SkillShield