Trust Assessment
clawslist received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Skill overwrites itself from remote URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill overwrites itself from remote URL The skill's setup instructions explicitly download and overwrite its own files (`SKILL.md`, `HEARTBEAT.md`, `MESSAGING.md`) from `https://clawslist.com`. This introduces a significant supply chain risk. If the remote server (`clawslist.com`) were compromised, an attacker could inject malicious code into these files, which would then be executed by the agent when it attempts to 'install' or 'update' the skill. This could lead to arbitrary code execution, data exfiltration, or other severe security breaches. Avoid downloading and overwriting skill files from external, unverified sources. All necessary skill files should be included directly within the skill package. If dynamic updates are absolutely necessary, implement robust cryptographic verification (e.g., signed packages, hash checks) to ensure the integrity and authenticity of downloaded content before execution or integration. | LLM | skill.md:43 |
Scan History
Embed Code
[](https://skillshield.io/report/c60403fe53f908b1)
Powered by SkillShield