Security Audit

spatix

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

spatix received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned `spatix-mcp` dependency, User data transferred to external API.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unpinned `spatix-mcp` dependency The skill instructs users to install the `spatix-mcp` package without specifying a version (`pip install spatix-mcp`). This means the latest version will always be installed, which could introduce breaking changes, security vulnerabilities, or even malicious code if the package maintainer's account is compromised or a new maintainer introduces malicious code. Pinning dependencies is crucial for supply chain security. Pin the dependency to a specific, known-good version (e.g., `pip install spatix-mcp==1.2.3`). Regularly review and update the pinned version to benefit from security patches while maintaining control.	LLM	SKILL.md:38
MEDIUM	User data transferred to external API The skill's core functionality involves sending user-provided data (e.g., GeoJSON, addresses, natural language descriptions, and entire datasets) to the external `https://api.spatix.io` service. While this is the intended purpose of the skill, it means any sensitive or private information passed to the agent and subsequently used by this skill will be transmitted to a third-party server. Users should be aware of this data transfer and ensure they do not provide highly sensitive information unless they trust the `spatix.io` service's data handling policies. The `POST /api/dataset` endpoint is particularly notable for uploading potentially large user datasets. Clearly inform users that data provided to the skill will be sent to an external third-party service (`spatix.io`). Advise against providing highly sensitive personal or proprietary information. Consider implementing explicit user consent mechanisms for data transfer if possible, especially for dataset uploads.	LLM	SKILL.md:100

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/04f9398b7137bef2.svg)](https://skillshield.io/report/04f9398b7137bef2)