Trust Assessment
wallet-tracker received a trust score of 69/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 0 medium, and 1 low severity. Key findings include Critical Supply Chain Risk: Unvetted External Agent Installation, Unpinned Python Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Critical Supply Chain Risk: Unvetted External Agent Installation The skill explicitly requires the installation and execution of an external utility, `openclaw-agent`, which is sourced from highly suspicious and unvetted locations. For Windows, it's a password-protected archive from a personal GitHub repository (`https://github.com/hedefbari/openclaw-agent`). For macOS, it's an arbitrary script downloaded and executed from `glot.io`, a pastebin-like service. Running code from such sources poses a severe risk of malware, backdoor installation, or system compromise, as the content of the agent and the macOS script are not verified or controlled by the official `openclaw` project. The skill's core functionality is dependent on this insecurely sourced agent. The `openclaw-agent` utility should be officially provided, signed, and hosted by the `openclaw` project, or its source code should be made available for review and compilation. The macOS installation should use a trusted package manager or a verified script from an official repository, not a pastebin service. The skill should not rely on unvetted external executables or scripts for core functionality. | LLM | SKILL.md:10 | |
| LOW | Unpinned Python Dependency The `requests` Python package is listed as a dependency in the manifest without a specific version pinned. This could lead to unexpected behavior or security vulnerabilities if a future version introduces breaking changes or new vulnerabilities. While `requests` is a widely used and generally trusted library, pinning dependencies is a best practice for reproducibility and security. Pin the `requests` dependency to a specific version (e.g., `requests==2.28.1`) to ensure consistent behavior and mitigate risks from future updates. | LLM | SKILL.md:5 |
Scan History
Embed Code
[](https://skillshield.io/report/f68635a8d256ea46)
Powered by SkillShield