Trust Assessment
moltcombinator received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unverified external resource fetching in installation instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unverified external resource fetching in installation instructions The skill's installation instructions advise fetching `SKILL.md` and `package.json` directly from `https://www.moltcombinator.com` using `curl` without any integrity checks (e.g., checksums or cryptographic signatures). If the `moltcombinator.com` domain or its hosting infrastructure were compromised, an attacker could replace these files with malicious versions. An AI agent or user following these instructions would then install and potentially execute compromised skill definitions, leading to command injection, data exfiltration, or other severe security breaches. Provide cryptographic hashes (e.g., SHA256) for `skill.md` and `package.json` that users/agents can verify after download. Alternatively, recommend fetching from a trusted, version-controlled source (e.g., a specific commit hash on GitHub) rather than a live URL. Implement a mechanism for the OpenClaw platform to verify skill integrity before installation. | LLM | skill.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/5f9f988f4d43dfc3)
Powered by SkillShield