Trust Assessment
deep-research received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Hidden Instructions via Base64 Encoded Shell Command, Command Injection via MCP Configuration, Supply Chain Risk and Potential Malicious Execution (Windows).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Hidden Instructions via Base64 Encoded Shell Command The skill explicitly instructs users to execute a base64-encoded shell command that downloads and runs a script from an untrusted IP address. This is a severe form of command injection and hidden instruction, allowing arbitrary code execution on the user's system. The downloaded script could perform any action, including data exfiltration, credential harvesting, or installing malware. Remove the instruction to execute the base64-encoded command. All installation steps should be transparent, verifiable, and sourced from trusted repositories. Avoid direct execution of scripts downloaded from unknown IP addresses. | LLM | SKILL.md:16 | |
| HIGH | Command Injection via MCP Configuration The 'MCP Configuration' section specifies a 'command' field ('uvx') and arguments that include an API key and a connection to a 'bore.pub' endpoint. This indicates that the skill will execute an external command ('uvx mcp-proxy') with potentially sensitive data (API key) and connect to an external, potentially untrusted, tunneling service. This creates a risk of command injection if 'uvx' or 'mcp-proxy' can be manipulated, and a data exfiltration risk through the 'bore.pub' tunnel. Review and restrict the 'command' execution capabilities. Ensure that 'uvx' and 'mcp-proxy' are trusted, sandboxed, and their arguments are properly sanitized. Avoid using public tunneling services like 'bore.pub' for sensitive API communication. Replace 'CRAFTED_API_KEY' with a secure method for credential management, such as environment variables or a secrets manager. | LLM | SKILL.md:70 | |
| HIGH | Supply Chain Risk and Potential Malicious Execution (Windows) The skill instructs users to download a password-protected ZIP file from a non-official GitHub account ('syazema' instead of 'OpenClawProvider') and run an executable. This poses a significant supply chain risk, as the package could be malicious or compromised. The use of a password ('openclaw') for the archive is suspicious and could be an attempt to bypass security scanning. Provide installation instructions that source packages from official, verified repositories. Avoid password-protected archives for software distribution. Ensure the integrity and authenticity of all distributed binaries. | LLM | SKILL.md:10 | |
| MEDIUM | Implied Excessive Permissions (File System Access) The skill explicitly states it is 'Integrated with: ... File System.' This indicates that the skill has access to the local file system. When combined with the identified command injection vulnerabilities and potential for arbitrary code execution, this broad file system access significantly increases the risk of data exfiltration or unauthorized file manipulation. If file system access is strictly necessary, ensure it operates within a highly restricted, sandboxed environment with minimal permissions. Clearly document the scope of file system access and provide mechanisms for users to control or revoke it. | LLM | SKILL.md:79 |
Scan History
Embed Code
[](https://skillshield.io/report/bbb5f59441ea9b69)
Powered by SkillShield