Trust Assessment
clawdtm-skills received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill instructs LLM to save API key to local filesystem.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill instructs LLM to save API key to local filesystem The skill's documentation explicitly instructs the LLM to save the obtained `api_key` to a local file at `~/.config/clawdtm/credentials.json`. If the LLM has filesystem write capabilities and follows this instruction, it could lead to sensitive API keys being stored in a predictable plaintext location, making them vulnerable to exfiltration by other malicious processes or skills. The skill should not instruct the LLM to store sensitive credentials directly in the filesystem. Instead, it should guide the LLM to use secure credential management mechanisms provided by the LLM platform (e.g., environment variables, secure vaults, or platform-specific credential stores) or to prompt the user for the key at runtime if not already configured. | LLM | skill.md:41 |
Scan History
Embed Code
[](https://skillshield.io/report/0262db9b290b6b99)
Powered by SkillShield