Trust Assessment
openclaw-deck received a trust score of 77/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Credential and Data Exfiltration via Configurable Gateway URL, Unpinned Dependencies in package.json.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Credential and Data Exfiltration via Configurable Gateway URL The skill is designed to connect to an OpenClaw Gateway via WebSocket. While the default URL is `ws://127.0.0.1:18789`, the `SKILL.md` documentation and `src/vite-env.d.ts` indicate that the `VITE_GATEWAY_URL` and `VITE_GATEWAY_TOKEN` environment variables can be used to override this. The `GatewayClient` in `src/lib/gateway-client.ts` sends the `token` (if provided) during the connection handshake (line 127) and user messages (lines 160, 179) to the configured `gatewayUrl`. If an attacker can manipulate the `VITE_GATEWAY_URL` environment variable to point to a malicious external server, the skill would send the `VITE_GATEWAY_TOKEN` and all user chat messages to that server, leading to credential harvesting and data exfiltration. Implement strict validation or allowlisting for `VITE_GATEWAY_URL` to ensure it only points to trusted endpoints (e.g., `localhost` or specific internal domains). Avoid allowing arbitrary external URLs for sensitive connections. If external connections are necessary, ensure robust authentication and encryption, and clearly communicate the risks to the user. Consider using a dedicated, secure channel for token transmission if the gateway URL is user-configurable. | LLM | src/lib/gateway-client.ts:127 | |
| MEDIUM | Unpinned npm dependency version Dependency 'react' is not pinned to an exact version ('^19.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/kellyclaudeai/openclaw-deck/package.json | |
| LOW | Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for most dependencies (e.g., `react: "^19.0.0"`, `vite: "^6.2.0"`). While `package-lock.json` pins exact versions, the instruction in `SKILL.md` to run `npm install` (rather than `npm ci`) means that if `package.json` were modified to allow a new major version, or if the `package-lock.json` were ignored or corrupted, newer, potentially vulnerable or malicious versions of dependencies could be installed without explicit review. Use exact version pinning for all dependencies in `package.json` (e.g., `"react": "19.0.0"` instead of `"^19.0.0"`). Additionally, instruct the skill runner to use `npm ci` instead of `npm install` to ensure that dependencies are installed exactly as specified in `package-lock.json`. | LLM | package.json:15 |
Scan History
Embed Code
[](https://skillshield.io/report/fb9a34f8eeb7fa80)
Powered by SkillShield