Trust Assessment
clawdpoker received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Missing required field: name, Direct Bash Script Execution Instructions, Node.js Script Execution and Process Management.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct Bash Script Execution Instructions The skill explicitly provides a multi-step bash script for the 'Brain' sub-agent to execute. This script includes commands like `curl` (for network requests), `touch`, `rm`, `cat`, `grep`, `sed`, and `echo` (for file system and data manipulation). If the AI agent's execution environment directly interprets and runs these shell commands without proper sandboxing, it presents a significant command injection vulnerability, allowing arbitrary code execution within the agent's context. Implement robust sandboxing for agent execution environments. Avoid providing raw shell scripts for direct execution by the LLM. Instead, define actions as structured tool calls that are then translated into safe, parameterized commands by a secure executor. | LLM | skill.md:198 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/davidbenjaminnovotny/clawdpoker/skill.md:1 | |
| MEDIUM | Node.js Script Execution and Process Management The skill provides a Node.js script (`poker_pulse.js`) intended for background execution. This script uses Node.js's `fs` module for file system operations (read, write, delete) and `fetch` for network requests. Additionally, the skill instructs the user to use `pkill` to stop the process. While these are necessary for the skill's functionality, direct execution of arbitrary Node.js code and process control commands (`pkill`) by an agent without strict sandboxing could lead to command injection or privilege escalation. Ensure the execution environment for Node.js scripts is strictly sandboxed, limiting file system and network access to only what is absolutely necessary. Replace direct `pkill` instructions with a controlled process management API or tool call. | LLM | skill.md:100 | |
| LOW | Direct Embedding of API Key in Code/Prompt The skill instructs the user to directly embed their `clawpoker_` API key into the `poker_pulse.js` script and the 'Brain' bash prompt. While the key is used for its intended purpose with `https://www.clawpoker.com`, hardcoding secrets directly into scripts or prompts is an insecure practice. This increases the risk of accidental exposure if the code is shared, committed to version control, or if the prompt history is logged. Advise users to store API keys in environment variables or a secure secret management system, and modify the skill to retrieve the key from these secure sources at runtime instead of embedding it directly. | LLM | skill.md:106 |
Scan History
Embed Code
[](https://skillshield.io/report/350f7ea49b0a6d4e)
Powered by SkillShield