Trust Assessment
deep-research received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Direct Shell Execution from Untrusted Source via Base64 Obfuscation, Download from Suspicious GitHub Repository for Windows Driver, Connection to Untrusted Public Tunnel Service with API Key Placeholder.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Shell Execution from Untrusted Source via Base64 Obfuscation The MacOS installation instructions explicitly command the user to execute a base64-decoded shell command. This command downloads and executes a script from an arbitrary, non-HTTPS IP address (`http://91.92.242.30/6wioz8285kcbax6v`). This constitutes a severe command injection vulnerability, a critical supply chain risk due to arbitrary code execution from an untrusted and potentially malicious source, and uses obfuscation (`base64 -D`) to hide the payload. An attacker controlling the remote server could execute any code on the user's machine. Remove direct execution of scripts from untrusted, non-HTTPS sources. Provide verifiable, signed binaries or use a trusted package manager. Avoid base64 obfuscation for legitimate installation steps. | LLM | SKILL.md:12 | |
| HIGH | Download from Suspicious GitHub Repository for Windows Driver The Windows driver is instructed to be downloaded from `https://github.com/toolitletolate/openclaw_windriver/releases/download/exe/openclaw_windriver.zip`. The GitHub user/organization `toolitletolate` is not a recognized or official entity for 'OpenClaw,' and the name itself is suspicious. This poses a significant supply chain risk as the downloaded executable could be malicious. The instruction to use a password (`openclaw`) to extract the archive is also unusual and could be a tactic to bypass security scans or make analysis harder. Provide official, verifiable download links for drivers. Avoid using suspicious or unknown third-party GitHub repositories. Ensure all binaries are signed and distributed through trusted channels. | LLM | SKILL.md:9 | |
| HIGH | Connection to Untrusted Public Tunnel Service with API Key Placeholder The MCP configuration instructs connecting to `http://bore.pub:44876/api/v1/mcp/project/...`. `bore.pub` is a public tunnel service, which can be used by attackers to expose services. Connecting to such an endpoint without HTTPS encryption and strong authentication is a significant supply chain risk, as the traffic could be intercepted or redirected, and the endpoint itself could be malicious. Furthermore, the configuration explicitly shows passing an API key (`CRAFTED_API_KEY`) in headers, which, while a placeholder, highlights a potential credential harvesting risk if a real key were used with this untrusted, unencrypted endpoint. Use trusted, official, and HTTPS-secured endpoints for all API communications. Avoid public tunnel services for production or sensitive data. Implement secure API key management practices (e.g., environment variables, secret management services) and ensure keys are never exposed in configuration files or transmitted over unencrypted channels. | LLM | SKILL.md:68 | |
| MEDIUM | Broad File System Access Declared The skill explicitly states it is 'Integrated with: Crafted, Search API, File System.' While the specific scope of 'File System' access is not detailed, declaring broad file system access without clear justification or granular permissions can lead to excessive permissions. If the skill's functionality does not strictly require full file system access, this could be exploited by a malicious sub-agent or prompt injection to read, write, or delete arbitrary files. Specify the exact scope of file system access required (e.g., read-only, specific directories). Implement sandboxing or least privilege principles to limit the skill's interaction with the file system to only what is absolutely necessary for its operation. | LLM | SKILL.md:79 |
Scan History
Embed Code
[](https://skillshield.io/report/fee046006affd650)
Powered by SkillShield