Security Audit

clawdvine

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

clawdvine received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Hardcoded Bearer Token detected, Unpinned npm dependency version, Exposure of EVM_PRIVATE_KEY via environment variable.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

93%

LLM Behavioral Safety

98%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

1 finding

Security Findings4

Severity	Finding	Layer	Location
HIGH	Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference.	Static	skills/c0rv0s/clawdvine-skill/clawdvine-skill-1.1.0/SKILL.md:47
MEDIUM	Unpinned npm dependency version Dependency '@x402/evm' is not pinned to an exact version ('^2.2.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/c0rv0s/clawdvine-skill/clawdvine-skill-1.1.0/package.json
LOW	Exposure of EVM_PRIVATE_KEY via environment variable The skill's documentation and scripts instruct users to provide their `EVM_PRIVATE_KEY` as an environment variable (e.g., `EVM_PRIVATE_KEY=0x...`). While the scripts process the key locally for signing and do not transmit it over the network, storing sensitive credentials like private keys in environment variables can expose them to other processes, shell history, or logs. This practice increases the risk of credential harvesting or data exfiltration if the user's environment is compromised or misconfigured. Recommend using a more secure secrets management solution (e.g., a dedicated wallet service, hardware wallet integration, or a secure prompt for input) instead of directly passing private keys via environment variables or command-line arguments. If environment variables must be used, advise users on best practices for securing their shell environment and process memory.	LLM	SKILL.md:160
INFO	Use of caret (^) versions for dependencies The `package.json` specifies dependencies using caret (`^`) versions (e.g., `"@x402/evm": "^2.2.0"`). While `package-lock.json` ensures reproducible builds for a specific installation, using caret versions in `package.json` allows for automatic updates to minor and patch versions when `npm install` is run without a lockfile. This introduces a slight supply chain risk, as a malicious update within the allowed version range could be pulled in without explicit review. Consider pinning exact versions for all dependencies in `package.json` to ensure maximum reproducibility and control over the exact code being used. Regularly audit dependencies for known vulnerabilities.	LLM	package.json:13

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/273ec181b3151be0.svg)](https://skillshield.io/report/273ec181b3151be0)