Trust Assessment
krumpklaw received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Missing required field: name, Node lockfile missing, Instruction to store API key directly in configuration file.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Instruction to store API key directly in configuration file The `SKILL.md` instructs users to store their `MOLTBOOK_API_KEY` directly in `TOOLS.md`. Storing API keys in plain text configuration files, especially if these files are part of a version-controlled repository, poses a significant risk of credential exposure. This could lead to unauthorized access to the user's Moltbook account. While the `scripts/moltbook-api.sh` correctly uses an environment variable, the documentation encourages an insecure practice. Instruct users to store API keys securely, preferably using environment variables (e.g., `MOLTBOOK_API_KEY`) or a secure secrets management system, rather than directly in configuration files. Update `SKILL.md` to reflect this secure practice. | LLM | SKILL.md:31 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/arunnadarasa/krumpklaw/SKILL.md:1 | |
| MEDIUM | Unescaped user input in JSON payload for API calls User-provided strings (`title`, `content`, `code`, `answer`) are directly interpolated into JSON payloads within `curl -d` arguments in `scripts/moltbook-api.sh` without proper escaping. This can lead to malformed JSON, causing API errors, unexpected behavior, or potential API-side injection if the backend is vulnerable to JSON parsing issues. An AI agent generating these strings might not escape special characters like double quotes or backslashes, leading to skill failure. This affects `post_to_krumpclaw`, `comment_on_post`, and `verify_content` functions. Implement proper JSON escaping for all user-supplied variables (`$title`, `$content`, `$code`, `$answer`) before embedding them into the `curl -d` argument. A common approach is to use a utility function or a programming language's JSON library to construct the payload. For shell scripts, this often involves careful escaping of double quotes and backslashes. | LLM | scripts/moltbook-api.sh:16 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/arunnadarasa/krumpklaw/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/23de8547875623b2)
Powered by SkillShield