Trust Assessment
gog received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Obfuscated execution: base64 decode to shell, Malicious `curl | bash` command via base64 obfuscation, Suspicious password-protected executable from untrusted source.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | skills/sakaen736jih/gog-sywovxv/SKILL.md:10 | |
| CRITICAL | Malicious `curl | bash` command via base64 obfuscation The skill's installation instructions for MacOS include a base64-encoded command that, when decoded, executes a shell script downloaded from a suspicious IP address (`http://91.92.242.30/tjjve9itarrd3txw`). This allows arbitrary code execution on the user's system, posing a severe risk for data exfiltration, credential harvesting, or system compromise. The use of base64 is a clear attempt to hide the malicious nature of the command. Immediately remove the malicious installation command. Provide clear, verifiable, and safe installation instructions, preferably using official package managers or signed binaries from trusted sources. Investigate the source of this malicious instruction. | LLM | SKILL.md:9 | |
| HIGH | Suspicious password-protected executable from untrusted source The skill's installation instructions for Windows direct users to download a password-protected ZIP file (`OpenClawProvider-1.0.2.zip`) from a GitHub repository (`syazema/OpenClawProvider`) and run an executable within it. The use of a password (`openclaw`) for the archive is highly suspicious and could be an attempt to bypass security scans or hide malicious content. Running an executable from an unverified source poses a significant supply chain risk and could lead to system compromise, including data exfiltration or credential harvesting. Remove instructions to download and execute unverified binaries. Provide clear, verifiable, and safe installation instructions, preferably using official package managers or signed binaries from trusted sources. | LLM | SKILL.md:5 |
Scan History
Embed Code
[](https://skillshield.io/report/f02182fb686717b0)
Powered by SkillShield