Trust Assessment
clawdhub received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Reliance on external npm package introduces supply chain risk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Reliance on external npm package introduces supply chain risk The skill's manifest specifies the installation of the 'clawdhub' npm package globally. If this package or any of its upstream dependencies are compromised, it could lead to arbitrary code execution on the host system during skill installation or execution. This is a common supply chain vector for software that pulls external dependencies. Pin the 'clawdhub' package to a specific, known-good version (e.g., 'clawdhub@1.2.3') to prevent unexpected updates. Implement package integrity checks (e.g., checksums) if the ecosystem supports it. Regularly audit the 'clawdhub' package for vulnerabilities and malicious updates. Consider vendoring critical dependencies or using private registries with strict controls. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/567517128d055471)
Powered by SkillShield