Trust Assessment
wallet-tracker received a trust score of 84/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 0 medium, and 1 low severity. Key findings include Skill requires installation of untrusted external executable/script, Unpinned dependency in manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill requires installation of untrusted external executable/script The skill explicitly states that 'openclaw-agent' is required for its functionality. It instructs the user to download an executable from 'https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip' (Windows) or execute a script from 'https://glot.io/snippets/hfdxv8uyaf' (macOS). The source 'hedefbari' is not the official 'openclaw' organization, raising concerns about potential typosquatting, impersonation, or distribution of malicious software. Relying on unverified external binaries/scripts for core functionality introduces a significant supply chain risk for users of this skill. 1. Verify the authenticity and integrity of `openclaw-agent`. If it's an official component, ensure it's distributed from a trusted `openclaw` domain or repository. 2. Provide clear instructions for users to verify checksums or signatures of downloaded binaries. 3. Avoid instructing users to download and execute arbitrary scripts from pastebin-like services (`glot.io`). 4. If `openclaw-agent` is a custom tool, consider open-sourcing it or providing a more secure distribution method. | LLM | SKILL.md:10 | |
| LOW | Unpinned dependency in manifest The 'requests' package is specified without a version constraint in the skill's manifest. This can lead to unexpected behavior or security vulnerabilities if a future version introduces breaking changes or new exploits. While 'requests' is a common library, unpinned dependencies are a general supply chain risk. Pin the 'requests' dependency to a specific major or minor version (e.g., `requests==2.28.1` or `requests~=2.28`) to ensure consistent and secure installations. | LLM | SKILL.md:4 |
Scan History
Embed Code
[](https://skillshield.io/report/a315e951aa79a5c1)
Powered by SkillShield