Security Audit
esri-workflow-smell-detector (consumer)
github.com/openclaw/skillsTrust Assessment
esri-workflow-smell-detector (consumer) received a trust score of 59/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 3 medium, and 2 low severity. Key findings include Suspicious import: requests, Potential data exfiltration: file read + network send, Unpinned Python dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential data exfiltration: file read + network send Function 'main' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/danmaps/esri-smells-consumer/scripts/call_smells.py:126 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/danmaps/esri-smells-consumer/scripts/call_smells.py:24 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.28.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/danmaps/esri-smells-consumer/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'eth-account>=0.10.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/danmaps/esri-smells-consumer/requirements.txt:2 | |
| LOW | Reliance on Third-Party Service for Data Processing The skill sends user-provided `project_snapshot` data and payment-related information (derived from `WALLET_ADDRESS` and `PRIVATE_KEY` environment variables) to an external third-party endpoint (`https://api.x402layer.cc`). While this is the explicit purpose of the skill, users must trust the security and privacy practices of this external service with their data. The `project_snapshot` is described as 'safe-by-default, no raw data', but its contents are not validated by the skill itself, and the `WALLET_ADDRESS` is transmitted as part of the payment payload. Ensure the third-party service's security and privacy policies are clearly communicated and meet user expectations. Consider adding explicit user consent prompts before sending data to external services, especially if the `project_snapshot` could potentially contain sensitive information despite claims of being 'safe-by-default'. | LLM | scripts/call_smells.py:90 | |
| LOW | Unpinned Dependencies in requirements.txt The `requirements.txt` file uses minimum version specifiers (`>=`) instead of exact version pinning (`==`). This can lead to non-deterministic builds and introduces a risk that future minor or patch versions of dependencies could introduce vulnerabilities or breaking changes without explicit review. Pin all dependencies to exact versions (e.g., `requests==2.28.0`) to ensure deterministic builds and prevent unexpected changes or vulnerabilities from being introduced by new dependency versions. Regularly audit and update pinned dependencies. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/7d8f7e8f3a25cbf9)
Powered by SkillShield