Trust Assessment
clawdvine received a trust score of 61/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 1 medium, and 2 low severity. Key findings include Hardcoded Bearer Token detected, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/c0rv0s/clawdvine-skill/SKILL.md:47 | |
| HIGH | Direct use of EVM private key from environment variable The skill's bundled scripts (`scripts/sign-siwe.mjs`, `scripts/check-balance.mjs`, `scripts/x402-generate.mjs`) explicitly instruct the user to provide an `EVM_PRIVATE_KEY` via an environment variable. This private key is then directly used to sign messages and initiate financial transactions (USDC payments). Storing a private key in an environment variable is a high-risk practice as it can be exposed through process listings, logs, or inherited by child processes, significantly increasing the risk of credential compromise and unauthorized fund transfers. Implement more secure credential management practices. Avoid storing raw private keys in environment variables. Consider using a Key Management Service (KMS), a secure vault, or prompting the user for the private key at runtime (e.g., via a secure input mechanism) rather than relying on persistent environment variables. If an environment variable is unavoidable, ensure the environment is highly secured and the key is ephemeral or tightly scoped. | LLM | SKILL.md:150 | |
| MEDIUM | Unpinned npm dependency version Dependency '@x402/evm' is not pinned to an exact version ('^2.2.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/c0rv0s/clawdvine-skill/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/c0rv0s/clawdvine-skill/package.json | |
| LOW | Unpinned dependencies in package.json The `package.json` file uses caret (`^`) ranges for its dependencies (e.g., `@x402/evm: ^2.2.0`). While common, this practice allows for automatic updates to minor and patch versions. A malicious actor could publish a compromised minor or patch version of a dependency, which would then be automatically installed, introducing vulnerabilities without explicit review. This constitutes a supply chain risk. Pin exact versions for all dependencies (e.g., `@x402/evm: 2.2.0`) to ensure deterministic builds and prevent unexpected or potentially malicious code changes from upstream dependencies. Use a dependency lock file (e.g., `package-lock.json` or `yarn.lock`) and ensure it is committed and respected during installation. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/38607d8fde3273e1)
Powered by SkillShield