Security Audit

simmer-mertsniper

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

simmer-mertsniper received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 13 findings: 0 critical, 10 high, 3 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Suspicious import: urllib.request.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

5 findings

Dynamic Code

11 findings

Excessive Permissions

2 findings

Security Findings13

Severity	Finding	Layer	Location
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:9
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:328
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:407
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:495
HIGH	Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:537
HIGH	Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:538
HIGH	Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:539
HIGH	Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:540
HIGH	Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:541
HIGH	Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:542
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/adlai88/mertsniper/mert_sniper.py:10
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/adlai88/mertsniper/mert_sniper.py:23
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/adlai88/mertsniper/scripts/status.py:16

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/34c87e2dcb595750.svg)](https://skillshield.io/report/34c87e2dcb595750)