Trust Assessment
install-scientify received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential typosquatting or package name mismatch.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential typosquatting or package name mismatch The skill instructs to install the npm package 'scientify' (as specified in the installation command, npm link, and OpenClaw metadata) but links to a GitHub repository named 'scientific'. This discrepancy could indicate a typosquatting attempt where a malicious package with a similar name is installed instead of the intended one, or it could simply be a naming inconsistency. Users might be misled into believing the 'scientify' npm package is directly associated with the 'tsingyuai/scientific' GitHub project, which might not be the case, leading to the installation of an untrusted package. Verify that the 'scientify' npm package is indeed the official package for the 'tsingyuai/scientific' GitHub project. If they are different, update the skill to link to the correct GitHub repository for the 'scientify' package or clarify the relationship between the two. Consider pinning the package version (`scientify@1.2.3`) to mitigate future changes to the package. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/988eb9a017c3210a)
Powered by SkillShield