Security Audit

clawsnipe

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

clawsnipe received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Excessive Browser Permissions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Excessive Browser Permissions The skill requires 'browser.enabled' permission, granting the AI agent full control over a user's browser instance. While necessary for the skill's core functionality (trading automation), this is an extremely broad permission. If the AI agent were to be compromised or misdirected (e.g., via a sophisticated prompt injection), this permission could be leveraged to read sensitive financial data from the logged-in trading platform, perform unauthorized transactions, or navigate to malicious websites, leading to significant financial loss or data exposure. The skill's design inherently trusts the agent with high-privilege browser access. Implement robust input validation and sanitization for all user-provided prompts to the AI agent to prevent prompt injection. Ensure the agent's internal logic is highly resilient to manipulation and strictly adheres to defined trading rules and safety checks. If the platform allows, consider sandboxing the browser environment or implementing strict content security policies to limit potential damage. Developers should clearly document the high-trust nature and associated risks of this skill to users.	LLM	SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7a42b8079be14bfe.svg)](https://skillshield.io/report/7a42b8079be14bfe)