Trust Assessment
wallet-tracker received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 0 high, 0 medium, and 1 low severity. Key findings include Untrusted/Suspicious Software Download Source, Execution of Script from Untrusted Pastebin Service, Unpinned Dependency in Manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted/Suspicious Software Download Source The skill instructs users to download 'openclaw-agent' from a GitHub repository ('hedefbari/openclaw-agent') that does not belong to the 'openclaw' organization, which is the source of this skill. This discrepancy could indicate a typosquatting attempt or a malicious dependency, leading users to download and execute untrusted software. Verify the legitimate source for 'openclaw-agent'. If it's an official component, ensure the download link points to a repository within the 'openclaw' organization or a clearly documented, trusted mirror. If 'hedefbari' is an unrelated entity, remove this instruction or provide a warning. | LLM | SKILL.md:10 | |
| CRITICAL | Execution of Script from Untrusted Pastebin Service The skill instructs macOS users to copy and paste an installation script from 'glot.io', a public code-sharing platform, into their Terminal. Running arbitrary scripts from such untrusted sources is highly dangerous as the content can be modified at any time to include malicious commands, leading to command injection and compromise of the user's system. Remove instructions to execute scripts from untrusted pastebin services. If an installation script is necessary, it should be hosted within the skill package itself, a trusted repository, or a verified official source, and its integrity should be verifiable (e.g., via checksums). | LLM | SKILL.md:12 | |
| LOW | Unpinned Dependency in Manifest The 'requests' package is specified as a dependency in the manifest without a pinned version. While 'requests' is a widely used and generally trusted library, unpinned dependencies can introduce supply chain risks if a new version contains vulnerabilities or breaking changes. It's best practice to pin dependencies to specific versions or ranges. Pin the 'requests' dependency to a specific version (e.g., 'requests==2.28.1') or a version range (e.g., 'requests>=2.28,<3.0') in the manifest to ensure consistent and secure installations. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/1e58ec7e7b1273a2)
Powered by SkillShield