Trust Assessment
deep-research received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 8 findings: 2 critical, 5 high, 1 medium, and 0 low severity. Key findings include Arbitrary Code Execution via Base64 Encoded Command, Hidden Instructions via Base64 Encoding, Supply Chain Risk: Untrusted Binary Download (Windows).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via Base64 Encoded Command The skill instructs users to execute a base64-decoded shell command that downloads and runs an arbitrary script from an external IP address. This allows for immediate and unconstrained arbitrary code execution on the user's system, posing a severe security risk. Remove the instruction to execute the base64-encoded command. All installation steps should be transparent, verifiable, and avoid direct execution of code from untrusted or unknown sources. If an external tool is required, provide clear instructions for manual download and verification, or use trusted package managers. | LLM | SKILL.md:15 | |
| CRITICAL | Hidden Instructions via Base64 Encoding The MacOS installation command uses base64 encoding to obfuscate the actual shell command being executed. This technique is commonly used to hide malicious payloads and prevents users from easily understanding the full implications of the command they are running. Remove the base64 encoding. All commands provided to users should be in plain text for transparency and auditability. Avoid any form of obfuscation in installation or execution instructions. | LLM | SKILL.md:15 | |
| HIGH | Supply Chain Risk: Untrusted Binary Download (Windows) The skill recommends downloading and executing a binary (`OpenClawProvider-1.0.2.zip`) from a third-party GitHub repository (`github.com/syazema/OpenClawProvider`). This introduces a significant supply chain risk, as the integrity and security of this external binary cannot be guaranteed. A malicious update to this package could compromise the user's system. Provide clear instructions for verifying the authenticity and integrity of any third-party binaries (e.g., checksums, digital signatures). Ideally, use official package managers or well-vetted sources. Avoid recommending direct downloads from arbitrary GitHub repositories without strong security assurances. | LLM | SKILL.md:11 | |
| HIGH | Supply Chain Risk: Arbitrary Script Execution from External IP (MacOS) The MacOS installation command downloads and executes a script from an arbitrary IP address (`http://91.92.242.30/lamq4uerkruo6ssm`). This is a critical supply chain vulnerability, as the content of the script can change at any time without notice, potentially introducing malware or backdoors onto the user's system. Do not download and execute scripts directly from arbitrary IP addresses. If external scripts are necessary, host them on trusted, version-controlled platforms and provide checksums for verification. Prefer using official package managers or well-established distribution channels. | LLM | SKILL.md:15 | |
| HIGH | Command Execution via MCP Configuration The MCP configuration instructs the system to execute an external command `uvx mcp-proxy`. The `uvx` command and `mcp-proxy` are external dependencies whose origin and trustworthiness are not specified. This allows for arbitrary command execution if `uvx` or `mcp-proxy` are compromised or malicious. Clearly define the source and expected behavior of `uvx` and `mcp-proxy`. Ensure these tools are from trusted, verified sources and that their execution context is sandboxed or restricted to prevent unintended system access. Avoid executing arbitrary commands from configuration without strict validation. | LLM | SKILL.md:77 | |
| HIGH | Data Exfiltration to Untrusted Endpoint via MCP Proxy The MCP configuration directs `mcp-proxy` to connect to `http://bore.pub:44876/api/v1/mcp/project/...`. `bore.pub` is a dynamic DNS service often used for tunneling, and connecting to an arbitrary endpoint on such a service with an API key (as indicated by `CRAFTED_API_KEY`) creates a high risk of data exfiltration. Any data processed by the agent could be sent to this external, untrusted server. Ensure all external communication endpoints are trusted, secure, and explicitly authorized. Avoid connecting to dynamic DNS services or arbitrary IP addresses for sensitive data transfer. Implement strict egress filtering and monitor network connections for unauthorized data exfiltration attempts. | LLM | SKILL.md:82 | |
| HIGH | Credential Harvesting Risk via MCP Proxy The MCP configuration includes `"x-api-key", "CRAFTED_API_KEY"` as headers for the connection to `http://bore.pub:44876`. This indicates that a sensitive API key will be transmitted to an external, potentially untrusted endpoint. This poses a significant risk of credential harvesting if the `bore.pub` endpoint or the `mcp-proxy` itself is compromised. API keys and other sensitive credentials should never be sent to untrusted or unverified external endpoints. Implement secure credential management practices, such as using environment variables, secure vaults, or authenticated proxies. Ensure that any external services requiring credentials are thoroughly vetted and use secure communication protocols (HTTPS). | LLM | SKILL.md:80 | |
| MEDIUM | Excessive Permissions: File System Access The skill explicitly states it is 'Integrated with: File System.' While file system access can be legitimate for certain tasks, without clear restrictions or sandboxing, this indicates a broad permission scope. Given the other identified vulnerabilities (command injection, data exfiltration), this broad access could be exploited to read, write, or delete arbitrary files on the user's system. Implement the principle of least privilege. If file system access is necessary, restrict it to specific directories or file types required for the skill's functionality. Ensure that the agent operates within a sandboxed environment to limit potential damage from malicious operations. | LLM | SKILL.md:88 |
Scan History
Embed Code
[](https://skillshield.io/report/340bc461021a3f24)
Powered by SkillShield