Security Audit

starlink

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

starlink received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned Git Dependency in Skill Installation, Access to Sensitive Network and Location Data.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

2 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unpinned Git Dependency in Skill Installation The skill's manifest specifies a `cargo install` from a Git repository (`https://github.com/danfedick/starlink-cli`) without pinning to a specific commit hash or version tag. This means the skill will always install the `HEAD` of the default branch. If the upstream repository is compromised, malicious code could be injected and automatically installed on the user's system without review, leading to supply chain attacks. Pin the Git dependency to a specific commit hash or version tag in the `install` section of the manifest to ensure deterministic and secure installations. For example, add `rev: "<commit_hash>"` or `tag: "<version_tag>"`.	LLM	SKILL.md:1
MEDIUM	Access to Sensitive Network and Location Data The `starlink` skill provides access to sensitive information from the user's Starlink network, including GPS coordinates (`starlink location`), WiFi client details (MAC addresses, IP addresses, names, signal strength) (`starlink clients`), and network performance data (`starlink status`, `starlink speedtest`). While the tool itself does not exfiltrate this data, it makes it accessible to the LLM. Without proper safeguards, an LLM could be prompted to reveal this information to unauthorized parties or store it insecurely, posing a privacy risk. Implement strict privacy controls and data handling policies for the LLM when processing output from this skill. Ensure explicit user consent is obtained before accessing, displaying, or transmitting sensitive network or location data. Consider redacting or anonymizing sensitive fields by default.	LLM	SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/5ff3d2f42b587642.svg)](https://skillshield.io/report/5ff3d2f42b587642)