Security Audit

openclaw-tescmd

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

openclaw-tescmd received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Unpinned Python package installation, Unpinned OpenClaw plugin installation.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

86%

Behavioral Risk Signals

Shell Execution

2 findings

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Unpinned Python package installation The skill instructs the user to install the `tescmd` Python package using `pip install tescmd`. This command does not specify a version, which means it will always install the latest available version. This can lead to supply chain risks if a malicious or incompatible version is published to PyPI in the future, potentially introducing vulnerabilities or breaking changes without explicit user consent. Pin the dependency to a specific major or minor version to ensure stability and security, e.g., `pip install tescmd==0.9.7` or `pip install 'tescmd<1.0'`.	LLM	SKILL.md:169
MEDIUM	Unpinned OpenClaw plugin installation The skill instructs the user to install the OpenClaw plugin using `openclaw plugins install @oceanswave/openclaw-tescmd`. This command does not specify a version, which means it will always install the latest available version. This can lead to supply chain risks if a malicious or incompatible version is published to the OpenClaw plugin registry in the future, potentially introducing vulnerabilities or breaking changes without explicit user consent. Pin the plugin to a specific version to ensure stability and security, e.g., `openclaw plugins install @oceanswave/openclaw-tescmd@0.9.7`.	LLM	SKILL.md:155

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/aed7d1fbcdd245f1.svg)](https://skillshield.io/report/aed7d1fbcdd245f1)