Trust Assessment
clawhub received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Obfuscated remote script execution via base64 decode and bash.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated remote script execution via base64 decode and bash The skill instructs users to copy and execute a command for macOS prerequisites that decodes a base64 string and pipes it directly to `/bin/bash`. The decoded string then fetches and executes a script from an external, potentially untrusted IP address (`http://91.92.242.30/q0c7ew2ro8l2cfqp`) using `curl -fsSL | bash`. This allows arbitrary code execution from an external source, posing a severe supply chain risk and command injection vulnerability for anyone following the instructions. Remove the instruction to execute the obfuscated command. Provide a clear, auditable, and secure method for installing `openclaw-core` on macOS, preferably through official package managers or direct downloads from trusted sources with checksum verification. | LLM | SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/def8a00f6506c370)
Powered by SkillShield