Trust Assessment
clawdbot-dashboard received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Client-side exposure of sensitive session ID via environment variables.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Client-side exposure of sensitive session ID via environment variables The skill's documentation (`SKILL.md`) instructs users to define `VITE_SESSION_ID` in a `.env` file. Vite, by design, exposes variables prefixed with `VITE_` to the client-side JavaScript bundle. If `VITE_SESSION_ID` contains sensitive information (e.g., an authentication token or a unique identifier for a user's session), its exposure in the client-side code allows any user to inspect and potentially steal this credential, leading to session hijacking or unauthorized access. Do not store sensitive session IDs or API keys directly in client-side environment variables (i.e., those prefixed with `VITE_`). Instead, these should be managed server-side, passed securely to the client (e.g., via HTTP-only cookies for session IDs, or fetched from a secure backend endpoint), or used only in server-side contexts. If a session ID is truly needed client-side, ensure it is non-sensitive and cannot be used for authentication or unauthorized access. | LLM | SKILL.md:205 |
Scan History
Embed Code
[](https://skillshield.io/report/469046f6c9e522f4)
Powered by SkillShield