Trust Assessment
clawforgod received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 3 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Dependency: dotenv The skill uses the 'dotenv' package (via `require('dotenv').config();` in `scripts/clawforgod.js`) to load environment variables, but 'dotenv' is not listed in the `dependencies` or `devDependencies` section of `package.json`. This constitutes an unpinned dependency, which can lead to runtime errors if the package is not installed or if an incompatible version is present in the environment. It also makes the skill's dependencies unclear. Add `"dotenv": "^x.y.z"` to the `dependencies` or `devDependencies` in `package.json`, specifying a compatible version range for the 'dotenv' package. | LLM | package.json:19 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/snail3d/clawforgod/skills/clawforgod/scripts/calendar-guardian.js:4 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/clawforgod/skills/clawforgod/SKILL.md:1 | |
| MEDIUM | Missing or Misconfigured Entry Point Script The `start` and `dev` scripts in `package.json` refer to `scripts/1st-commandment.js` as their entry point. However, this file is not provided in the skill package context. This could indicate a missing critical component, a typo in the script path, or an unstated dependency on an external script. If `scripts/1st-commandment.js` is intended to be the main entry, its absence will cause the skill to fail to start. If `scripts/clawforgod.js` (which is provided and declared as `main` and `bin`) is the actual entry, then the `start` and `dev` scripts are misconfigured. Ensure that `scripts/1st-commandment.js` is included in the skill package if it's a necessary component, or update the `start` and `dev` scripts in `package.json` to correctly point to the intended entry file, such as `scripts/clawforgod.js`. | LLM | package.json:9 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/snail3d/clawforgod/skills/clawforgod/package.json | |
| LOW | Potential Credential Logging in Error Messages The `PatternLearner` fetches GitHub commits using `this.config.githubToken` in the Authorization header. If the `fetch` operation fails, the error message (`e.message`) is logged to `soul-shepherd.log` via `this.logger.error`. There is a risk that if the GitHub API returns an error message that echoes the provided token (e.g., due to a malformed or invalid token), this sensitive credential could be inadvertently written to the local log file. Implement explicit sanitization of error messages before logging, especially when they originate from external API calls that use sensitive credentials. For example, filter out known credential patterns or redact potentially sensitive parts of `e.message` before passing it to the logger. | LLM | scripts/pattern-learner.js:129 |
Scan History
Embed Code
[](https://skillshield.io/report/fa2afc3076f01462)
Powered by SkillShield