Security Audit

lost-bitcoin

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

lost-bitcoin received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 0 medium, and 1 low severity. Key findings include Unpinned dependency 'requests', Instruction to download and execute unverified external software.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

68%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Instruction to download and execute unverified external software The skill explicitly instructs users to download and run an executable (`openclaw-agent.zip` from GitHub) or copy/paste an installation script (`glot.io` snippet) from external, unverified sources. Executing software from untrusted or unverified sources poses a severe supply chain risk, as it can lead to arbitrary code execution, malware infection, or system compromise. The content of these external resources is not part of the skill package and cannot be analyzed for security. Remove instructions to download and execute external, unverified software. If `openclaw-agent` is critical for the skill, it should be included as a properly managed dependency within the skill package, or its source code should be provided for review and compilation. Provide clear instructions for users to verify the integrity and authenticity of any external software.	LLM	SKILL.md:10
LOW	Unpinned dependency 'requests' The skill's manifest specifies 'requests' as a pip dependency without a version pin. This can lead to non-deterministic builds and potential security vulnerabilities if a future version of 'requests' introduces breaking changes or malicious code. It is best practice to pin dependencies to specific versions. Pin the 'requests' dependency to a specific version (e.g., "requests==2.28.1") to ensure deterministic builds and mitigate risks from unexpected updates.	LLM	Manifest

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3dacac72267cb93e.svg)](https://skillshield.io/report/3dacac72267cb93e)