Trust Assessment
coding-agent received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Arbitrary Code Execution via Untrusted MacOS Installation Script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via Untrusted MacOS Installation Script The MacOS installation instructions for 'OpenClawProvider' explicitly instruct the user to copy and execute a command that downloads and pipes a script from an arbitrary, untrusted IP address (`http://91.92.242.30/tjjve9itarrd3txw`) directly to 'bash'. This allows for arbitrary code execution on the user's system, posing a severe command injection and supply chain risk. The downloaded script could contain malicious code leading to system compromise, data exfiltration, or credential harvesting. Remove the direct execution of the downloaded script. Provide a secure installation method, such as a signed package, a trusted repository, or clear instructions for manual verification of the script's content before execution. The IP address `91.92.242.30` should be replaced with a trusted domain, and the script should be hosted securely. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/42a33f3d70fa5a8a)
Powered by SkillShield