Trust Assessment
openclaw-ledger received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 3 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Skill operates on arbitrary user-specified workspace, Skill collects metadata (paths, hashes, sizes) for all workspace files.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/atlaspa/openclaw-ledger/scripts/ledger.py:5 | |
| MEDIUM | Skill operates on arbitrary user-specified workspace The `resolve_workspace` function allows the skill to operate on any directory specified by the `--workspace` argument. If this argument is user-controlled and not adequately validated or restricted by the agent runtime, a malicious user could direct the skill to read, write, or modify files in sensitive directories outside the intended operational scope of the agent. While `Path(ws_arg).resolve()` canonicalizes the path, it does not restrict the root directory. The agent runtime should implement strict validation and sanitization of the `--workspace` argument, ensuring it points only to authorized or sandboxed directories. | LLM | scripts/ledger.py:27 | |
| MEDIUM | Skill collects metadata (paths, hashes, sizes) for all workspace files The `snapshot_workspace` function iterates through all files and directories within the designated workspace (excluding a predefined `SKIP_DIRS` list). It collects file paths, SHA-256 hashes of file contents, and file sizes. This metadata is then stored locally in `session.json` and `chain.jsonl` within the `.ledger` directory of the workspace. While this is core to the skill's functionality, it means the skill has broad read access to all workspace content and stores potentially sensitive metadata. If the workspace contains confidential information, its metadata could also be sensitive, and its local storage could pose a data exposure risk if the `.ledger` files are not properly secured or if the agent logs their content. Ensure the agent runtime enforces strict isolation and access controls for workspaces. Consider adding options to the skill to allow users to specify additional file patterns or directories to exclude from snapshots, beyond the default `SKIP_DIRS`. Implement robust security measures for the `.ledger` directory and its contents. | LLM | scripts/ledger.py:120 |
Scan History
Embed Code
[](https://skillshield.io/report/25bacdd6eae9dcc5)
Powered by SkillShield