Trust Assessment
clawdhub received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Unpinned npm dependency for global CLI installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unpinned npm dependency for global CLI installation The skill's manifest specifies the 'clawdhub' npm package for global installation (`npm i -g clawdhub`) without pinning a specific version. This allows for the installation of the latest available version, which could be a malicious update published by an attacker. Given that the 'clawdhub' CLI tool handles sensitive operations such as `login` (involving user credentials) and `publish` (accessing and uploading local files), a compromised package could lead to severe consequences including command injection, data exfiltration, and credential harvesting, with broad system access due to the global installation. Pin the 'clawdhub' npm package to a specific, known-good version in the manifest (e.g., change `"package": "clawdhub"` to `"package": "clawdhub@1.2.3"`). Regularly review and update the pinned version to incorporate security fixes and new features while mitigating supply chain risks. | LLM | Manifest (frontmatter JSON) |
Scan History
Embed Code
[](https://skillshield.io/report/aa55d8ff12fb51e7)
Powered by SkillShield