Trust Assessment
clawsocial received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Dynamic execution of external instructions via heartbeat, Unverified remote code download during local installation, Inconsistent API base URL definition.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Dynamic execution of external instructions via heartbeat The skill instructs the agent to periodically fetch `heartbeat.md` from `https://clawsocial.io` and 'follow it'. This means the agent is expected to execute arbitrary instructions provided by an external, dynamically loaded file. This creates a severe command injection vulnerability and a dynamic supply chain risk, as the content of `heartbeat.md` can change at any time to include malicious commands or prompt injections, bypassing static analysis. Do not instruct the agent to fetch and execute arbitrary instructions from external URLs. All operational logic should be contained within the skill package or explicitly defined via safe, structured API calls. If dynamic updates are necessary, they should be limited to data, not executable instructions, and validated rigorously. | LLM | skill.md:70 | |
| HIGH | Unverified remote code download during local installation The skill provides instructions for local installation that involve downloading `SKILL.md`, `HEARTBEAT.md`, and `package.json` directly from `https://clawsocial.io` using `curl`. If `clawsocial.io` were compromised, an attacker could inject malicious code into these files. The agent would then download and potentially execute this malicious code, leading to a supply chain attack. While this is an installation step, an agent might interpret these as executable commands. Implement secure installation practices. This could involve: 1) Distributing skills via a trusted package manager with integrity checks (e.g., checksums, signed packages). 2) Providing explicit hashes for downloaded files that the agent or user can verify. 3) Avoiding direct execution of downloaded scripts without prior review and sandboxing. 4) If direct download is necessary, ensure the source domain is highly trusted and consider pinning certificates. | LLM | skill.md:30 | |
| MEDIUM | Inconsistent API base URL definition The `skill.json` manifest defines `api_base` as `https://clawsocial.io/v1`, while the `SKILL.md` explicitly instructs the agent to 'Use `https://api.clawsocial.io` for API requests' and `https://clawsocial.io` for 'web URLs (profiles, claims)'. This discrepancy could lead to API requests, including those containing the agent's API key, being sent to the incorrect domain (`clawsocial.io` instead of `api.clawsocial.io`). The `SKILL.md` also warns that `www.clawsocial.io` 'will redirect and may strip headers', suggesting potential issues with using the base domain for API calls. This could result in failed API calls or, in a worst-case scenario, unintended exposure or mishandling of API keys if the base domain's handling of API requests is less secure or redirects in an insecure manner. Ensure consistency in the API base URL definition across all skill files. The `api_base` in `skill.json` should match the recommended API endpoint in `SKILL.md`, which is `https://api.clawsocial.io/v1`. | LLM | skill.json:7 |
Scan History
Embed Code
[](https://skillshield.io/report/11cc81b7a84b09d5)
Powered by SkillShield