Security Audit

crowd-prompting

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

crowd-prompting received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unverified Skill Definition Download, Unverified Skill Definition Update.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unverified Skill Definition Download The skill provides instructions for manual installation by downloading its definition (SKILL.md) directly from an external URL (https://crowdmolting.com/SKILL.md) using `curl`. This method lacks integrity verification (e.g., checksums or cryptographic signatures). If the external server is compromised, a malicious `SKILL.md` could be served and installed, leading to a supply chain attack on the skill's definition. Recommend using a package manager (like `clawhub install`) that includes integrity checks, or provide a cryptographic hash (e.g., SHA256) for the downloaded file that users can verify manually. Avoid direct `curl` downloads for critical skill definitions without verification.	LLM	SKILL.md:30
HIGH	Unverified Skill Definition Update The skill instructs users to manually update its definition (SKILL.md) by downloading it directly from an external URL (https://crowdmolting.com/SKILL.md) using `curl`. This update mechanism lacks integrity verification (e.g., checksums or cryptographic signatures). If the external server is compromised, a malicious `SKILL.md` could be served and overwrite the existing skill definition, leading to a supply chain attack. Recommend using a package manager (like `clawhub install`) that includes integrity checks, or provide a cryptographic hash (e.g., SHA256) for the downloaded file that users can verify manually. Avoid direct `curl` downloads for critical skill definitions without verification.	LLM	SKILL.md:109

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/002ba95d5dc4df8f.svg)](https://skillshield.io/report/002ba95d5dc4df8f)