Security Audit

daily_devotion

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

daily_devotion received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency, External repository dependency.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unpinned npm dependency The skill's manifest and documentation instruct to install `daily-devotion-skill` via npm without specifying a version. This allows for arbitrary code execution if a malicious version of the package is published or if the package maintainer's account is compromised. Without a pinned version, the system could fetch an unintended or malicious update. Pin the npm dependency to a specific, trusted version (e.g., `npm install daily-devotion-skill@1.1.0`). Implement package integrity checks (e.g., `package-lock.json` with hashes) to ensure the installed package matches a known good state.	LLM	SKILL.md:28
MEDIUM	External repository dependency The skill's manifest points to an external GitHub repository (`https://github.com/enjuguna/Molthub-Daily-Devotion`) which is different from the `openclaw/skills` repository where this skill is hosted. This indicates a third-party dependency for the skill's source code. While not inherently malicious, it introduces a supply chain risk as the integrity and security of the external repository are outside the direct control of the `openclaw` project. A compromise of the external repository could lead to malicious code being introduced into the skill. Clearly document the relationship and trust model for external dependencies. Consider mirroring critical external dependencies or implementing stricter vetting processes for third-party code. Ensure that the external repository is actively maintained and secure.	LLM	SKILL.md:33

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/d6c442e89c979c0d.svg)](https://skillshield.io/report/d6c442e89c979c0d)