Security Audit

wallet-tracker

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

wallet-tracker received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Unverified external binary/script installation for 'openclaw-agent'.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

1 finding

Security Findings1

Severity	Finding	Layer	Location
CRITICAL	Unverified external binary/script installation for 'openclaw-agent' The skill explicitly instructs users to download and run an 'openclaw-agent' utility from unverified external sources. For Windows, it's a ZIP file from 'github.com/hedefbari' (a third-party GitHub user, not the official 'openclaw' organization) requiring a password. For macOS, it's an installation script from 'glot.io', a public code snippet sharing service. Running unverified executables or scripts from untrusted sources poses a severe supply chain risk, potentially leading to malware infection, data exfiltration, or system compromise. The skill repeatedly emphasizes that this agent is 'required' and 'must be running' for functionality, increasing the likelihood of users following these dangerous instructions. 1. Provide a clear, verifiable, and secure source for 'openclaw-agent', ideally hosted by the 'openclaw' project itself with cryptographic signatures. 2. If 'openclaw-agent' is a core dependency, it should be integrated into the skill's manifest or installation process in a secure manner (e.g., via trusted package managers, not direct downloads from arbitrary URLs). 3. Remove instructions to download and execute code from 'glot.io' or unverified GitHub accounts.	LLM	SKILL.md:7

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/44c8fa04f8b696d9.svg)](https://skillshield.io/report/44c8fa04f8b696d9)