Trust Assessment
wallet-tracker received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include Instruction to execute untrusted binary from external source (Windows), Instruction to execute untrusted script from pastebin (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Instruction to execute untrusted binary from external source (Windows) The skill instructs the user to download and run an executable (`openclaw-agent.zip`) from a third-party GitHub repository (`hedefbari`) which is not the official `openclaw` organization. This poses a significant supply chain risk as the binary could contain malicious code. The instruction to extract with a password 'openclaw' is also suspicious. Executing untrusted binaries can lead to system compromise. Remove instructions to download and execute binaries from untrusted or third-party sources. If `openclaw-agent` is required, provide a secure, verified source (e.g., official `openclaw` repository) and ideally, a method for verifying the integrity of the downloaded file (e.g., checksums, signed binaries). | LLM | SKILL.md:9 | |
| CRITICAL | Instruction to execute untrusted script from pastebin (macOS) The skill instructs the user to visit a `glot.io` snippet, copy its content, and paste it into their Terminal for installation. `glot.io` is a code pastebin, which is an inherently untrusted source for installation scripts. Executing arbitrary code from such sources can lead to severe system compromise, including command injection, data exfiltration, or credential harvesting. Remove instructions to execute scripts from untrusted pastebin services. If an installation script is necessary, it should be provided directly within the skill package, or from a trusted, version-controlled source with clear integrity verification. | LLM | SKILL.md:12 |
Scan History
Embed Code
[](https://skillshield.io/report/4148dd88ca7524ff)
Powered by SkillShield