Trust Assessment
Vincent - A wallet for agents received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Insecure API Key Storage Location.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Insecure API Key Storage Location The skill documentation instructs agents to store sensitive API keys in the current working directory (`agentwallet/<API_KEY_ID>.json`). This location is generally less secure than dedicated credential stores (e.g., `~/.openclaw/credentials/`) and can lead to accidental exposure if the working directory is not properly secured, shared, or if the agent's operational context changes frequently. This increases the risk of unauthorized access to the API key. Recommend storing API keys exclusively in secure, dedicated credential management systems or user-specific, permission-restricted directories (e.g., `~/.openclaw/credentials/`). Avoid storing sensitive credentials directly in the current working directory. | LLM | SKILL.md:80 |
Scan History
Embed Code
[](https://skillshield.io/report/30b3477495e7e4d8)
Powered by SkillShield