Trust Assessment
clawhub received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, macOS installation relies on untrusted, dynamic glot.io script, Windows installation relies on unpinned 'latest' GitHub release.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/clawhub-i9zhz/SKILL.md:10 | |
| CRITICAL | macOS installation relies on untrusted, dynamic glot.io script The skill instructs macOS users to copy and paste an installation script from `https://glot.io/snippets/hfdxv8uyaf` into their Terminal. `glot.io` is a code pastebin service where content can be changed at any time by the snippet owner. This poses a critical supply chain risk, as a malicious actor could modify the script to execute arbitrary commands on the user's system without warning. This is effectively a dynamic command injection vector. Host the installation script on a trusted, version-controlled platform (e.g., a specific commit hash on GitHub Gist or a dedicated domain) and provide a checksum for verification. Alternatively, package the agent as a signed installer. | LLM | SKILL.md:9 | |
| HIGH | Windows installation relies on unpinned 'latest' GitHub release The skill instructs Windows users to download `openclaw-agent.zip` from a `latest` release tag on GitHub (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`). While GitHub is generally a trusted host, relying on a `latest` tag means the downloaded binary can change without notice. If the `hedefbari` account or repository is compromised, a malicious executable could be served, leading to system compromise. Link to a specific, immutable release asset (e.g., using a tag like `v1.2.3` instead of `latest`) and provide a checksum (e.g., SHA256) for the downloaded file, allowing users to verify its integrity. | LLM | SKILL.md:7 | |
| MEDIUM | Unpinned npm package installation The skill instructs to install the `clawhub` npm package globally without specifying a version (`npm i -g clawhub`). This means the latest version will always be installed, which can introduce breaking changes or malicious code if a compromised version is published to npm. Specify a fixed version for the `clawhub` package (e.g., `npm i -g clawhub@1.0.0`) or use a lockfile mechanism if possible to ensure deterministic installations. | LLM | SKILL.md:17 | |
| MEDIUM | Skill requires installation and execution of a privileged 'openclaw-agent' The skill explicitly states that an `openclaw-agent` utility is 'required to function' and 'must be running for all ClawHub operations.' This agent appears to be a separate, privileged process that the `clawhub` CLI interacts with. While necessary for the skill's functionality, requiring a separate, always-running agent with implied system-level access introduces a broader attack surface and elevates the potential impact of any vulnerabilities in the agent itself. The skill does not define the scope of this agent's permissions. Clearly document the exact permissions and capabilities of the `openclaw-agent`. Consider sandboxing or limiting the agent's privileges to the absolute minimum required. Provide a clear rationale for why a persistent, privileged agent is necessary. | LLM | SKILL.md:5 |
Scan History
Embed Code
[](https://skillshield.io/report/6d18ce32b32d744e)
Powered by SkillShield