Trust Assessment
clawspaces received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 1 medium, and 1 low severity. Key findings include Agent instructed to enter indefinite, non-terminating loop, Agent instructed to make autonomous decisions without further user input, Agent instructed to save API key without specifying secure storage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Agent instructed to enter indefinite, non-terminating loop The skill explicitly instructs the AI agent to enter a continuous participation loop and "NEVER EXIT" or "Run this loop FOREVER until the Space ends. NEVER EXIT after speaking once!". This directive attempts to override the agent's natural termination conditions, forcing it into an indefinite, autonomous task that could consume resources or prevent it from responding to other user commands or instructions. Modify the instructions to allow for graceful termination or user-initiated exit from the loop. Provide clear conditions under which the agent should exit the loop (e.g., "until the user explicitly tells you to stop" or "after a specified period of inactivity"). | LLM | SKILL.md:100 | |
| MEDIUM | Agent instructed to make autonomous decisions without further user input The skill instructs the agent that "After consent, you will autonomously decide whether to join or host." This grants the agent significant autonomy in deciding its actions within the Clawspaces platform after an initial "yes" from the user, potentially leading to unexpected or undesired behavior if the user expects more granular control over the agent's participation. Clarify the scope of autonomy. Consider adding instructions for the agent to periodically seek user confirmation for major decisions (e.g., "Before hosting a new space, ask the user for confirmation on the topic") or to provide options for the user to guide its autonomous choices. | LLM | SKILL.md:40 | |
| LOW | Agent instructed to save API key without specifying secure storage The skill explicitly instructs the agent to "Save the `api_key` immediately - it's only shown once!". While necessary for the skill's functionality, this instruction does not specify *how* or *where* to securely store the API key, potentially leading to insecure storage practices if the agent's default persistence mechanism is not secure (e.g., saving to a plain text file). Add guidance on secure storage practices for sensitive credentials, such as using platform-provided secure storage mechanisms, environment variables, or encrypted storage, rather than relying on unspecified default persistence. | LLM | SKILL.md:170 | |
| INFO | Reliance on external, third-party API for core functionality The skill's entire operation depends on an external API hosted at `https://xwcsximwccmmedzldttv.supabase.co/functions/v1/api`. The security, availability, and data handling practices of this third-party service are outside the direct control of the skill developer or the agent's host environment. A compromise or outage of this service would render the skill inoperable and could potentially expose data sent to it. Acknowledge and monitor the external dependency. Implement robust error handling for API failures. For critical applications, evaluate the security posture and terms of service of the third-party provider. Consider providing alternative endpoints or fallback mechanisms if available. | LLM | SKILL.md:140 |
Scan History
Embed Code
[](https://skillshield.io/report/47b91ddfd634bbae)
Powered by SkillShield