Security Audit

fsxmemory

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

fsxmemory received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unpinned npm dependency, Unpinned dependency from GitHub.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unpinned npm dependency The skill instructs users to install an npm package globally without specifying a version. This means the 'latest' version will be installed, which could introduce breaking changes or malicious code if the package maintainer's account is compromised or a malicious version is published. Pin the dependency to a specific version to ensure deterministic installations and mitigate supply chain risks. For example, use `npm install -g @foresigxt/foresigxt-cli-memory@1.3.1` based on the manifest version.	LLM	SKILL.md:8
HIGH	Unpinned dependency from GitHub The skill instructs users to install a package directly from a GitHub repository using `bun install -g github:tobi/qmd` without specifying a commit hash, tag, or branch. This means the installed code could change unexpectedly if the default branch of the repository is updated, potentially introducing vulnerabilities or malicious code. Pin the dependency to a specific commit hash or tag to ensure deterministic installations and mitigate supply chain risks. For example, `bun install -g github:tobi/qmd#<commit_hash>` or `bun install -g github:tobi/qmd@<tag>`.	LLM	SKILL.md:204

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/725fdb78fbed1f75.svg)](https://skillshield.io/report/725fdb78fbed1f75)