Security Audit

slopesniper

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

slopesniper received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Skill instructs LLM to expose user's private key, Skill instructs LLM to post sensitive diagnostic data to public GitHub issues, Unpinned Git dependency in manifest.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

63%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

2 findings

Security Findings3

Severity	Finding	Layer	Location
HIGH	Skill instructs LLM to expose user's private key The skill explicitly instructs the LLM to use the `slopesniper export` command when a user requests to "Export my key" or "backup wallet". This command outputs the user's private key, a highly sensitive credential. If the LLM's response or internal logs are compromised, this could lead to the private key being exposed. Remove instructions for the LLM to directly output private keys. Instead, guide the user to a secure, out-of-band method for key management, or ensure the `slopesniper export` command has strong interactive confirmation and warnings that prevent automated logging/exposure.	LLM	SKILL.md:28
HIGH	Skill instructs LLM to post sensitive diagnostic data to public GitHub issues The skill instructs the LLM to include the output of `slopesniper health --diagnose` in GitHub issue bodies. This diagnostic command can reveal sensitive information such as wallet source, machine key integrity, backup availability, and API key configuration. Posting this information to a public GitHub repository constitutes a significant data exfiltration risk. Modify the instruction to redact sensitive information from diagnostic output before posting to public forums, or instruct the user to review and redact manually. Alternatively, provide a secure, private channel for sharing diagnostic information.	LLM	SKILL.md:277
MEDIUM	Unpinned Git dependency in manifest The skill's manifest specifies a dependency `git+https://github.com/BAGWATCHER/SlopeSniper.git#subdirectory=mcp-extension` without a specific commit hash. This means that if the default branch of the upstream repository (`BAGWATCHER/SlopeSniper`) is compromised, a malicious version of the skill could be installed without explicit user consent or review, leading to a supply chain attack. Pin the Git dependency to a specific commit hash (e.g., `git+https://github.com/BAGWATCHER/SlopeSniper.git@<commit_hash>#subdirectory=mcp-extension`) to ensure deterministic and immutable installations.	LLM	SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/148c202d10831bb1.svg)](https://skillshield.io/report/148c202d10831bb1)