Security Audit

dilemm-ai

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

dilemm-ai received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Agent requires access to user's email inbox, Agent requires connection to user's crypto wallet.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Agent requires connection to user's crypto wallet The skill specifies 'Wallet: Connect wallet via Privy' as an authentication method. Granting an AI agent the ability to connect to a cryptocurrency wallet introduces a critical security risk. This could potentially lead to unauthorized transactions, asset transfers, or signing of malicious messages if the agent's control or the Privy integration is compromised or misused. Avoid direct AI agent interaction with crypto wallets. If wallet authentication is strictly necessary, implement a robust human-in-the-loop approval process for all wallet interactions, or use a highly restricted, single-purpose proxy that only allows specific, pre-approved authentication flows without transaction capabilities.	LLM	SKILL.md:76
HIGH	Agent requires access to user's email inbox The skill instructs the AI agent to 'retrieve 6-digit code from inbox' for authentication purposes. This implies the agent will be granted access to the user's email, which is a highly sensitive permission. Such access could potentially lead to unauthorized reading of emails or other sensitive information if the agent's capabilities are not strictly confined to retrieving specific codes. Implement a secure, sandboxed mechanism for retrieving authentication codes that does not grant full email inbox access to the agent. Consider using a human-in-the-loop approval for code entry or a dedicated, single-purpose email forwarding service.	LLM	SKILL.md:74

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/52a7f20ae9018c3e.svg)](https://skillshield.io/report/52a7f20ae9018c3e)