Trust Assessment
pwnclaw-security-scan received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include External Prompt Injection Vector, Agent Responses Sent to External Service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | External Prompt Injection Vector The skill instructs the AI agent to fetch prompts from an external service (`https://www.pwnclaw.com/api/test/{token}`) and then respond to them. This creates a direct vector for prompt injection, where a malicious or compromised external service could send arbitrary instructions to the agent, potentially manipulating its behavior or extracting information. While the service is intended for security testing, the mechanism itself is a vulnerability if the external source is not fully trusted. Implement strict input validation and sanitization for all prompts received from external services. Ensure the agent operates within a confined environment (sandbox) and has minimal permissions when interacting with untrusted external content. Consider using a dedicated, isolated LLM instance for security testing to prevent cross-contamination with production environments. | LLM | SKILL.md:31 | |
| MEDIUM | Agent Responses Sent to External Service The skill instructs the AI agent to send its responses (`"your answer"`) to an external service (`https://www.pwnclaw.com/api/test/{token}`). If the agent processes or generates sensitive information (e.g., PII, confidential data) in response to the external prompts, this information could be exfiltrated to the `pwnclaw.com` service. While this is part of the intended functionality for security testing, it represents a data leakage risk if the agent is not carefully isolated or if the external service is compromised. Ensure that the agent is configured to *never* process or generate sensitive user data when operating in a mode that sends responses to external services. Implement data masking or redaction for any potentially sensitive information before it is sent. Clearly inform users about the data sharing implications of using this skill. | LLM | SKILL.md:32 |
Scan History
Embed Code
[](https://skillshield.io/report/88fc9820a1a79ab1)
Powered by SkillShield