Trust Assessment
wallet-tracker received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include Untrusted executable download for prerequisite, Arbitrary script execution from untrusted pastebin for prerequisite.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted executable download for prerequisite The skill instructs users to download a critical prerequisite, 'openclaw-agent', from a direct GitHub release link belonging to a third-party user ('hedefbari') rather than the official 'openclaw' organization. The download is a ZIP file with a hardcoded password ('openclaw'), which is an insecure practice. This introduces a significant supply chain risk, as the executable could be malicious or compromised, leading to arbitrary code execution on the user's system. The skill explicitly states this agent is 'IMPORTANT' and 'must be running' for functionality. Provide a link to an officially verified and signed release of `openclaw-agent` from the `openclaw` organization. Avoid distributing executables via direct ZIP downloads with hardcoded passwords. Recommend installation via trusted package managers or verified sources. | LLM | SKILL.md:9 | |
| CRITICAL | Arbitrary script execution from untrusted pastebin for prerequisite The skill instructs macOS users to copy and paste an installation script from `glot.io` (a public pastebin service) directly into their terminal to install the 'openclaw-agent'. This is an extremely dangerous practice, as the content of the script can be changed at any time by the snippet owner, potentially executing arbitrary malicious code on the user's machine. This represents a severe supply chain risk for users attempting to set up the skill's prerequisites. Provide a secure and verifiable installation method for macOS, such as a signed installer package, a script hosted on a trusted domain with checksum verification, or instructions for installation via a reputable package manager (e.g., Homebrew). | LLM | SKILL.md:12 |
Scan History
Embed Code
[](https://skillshield.io/report/69596d7aa3b1d25d)
Powered by SkillShield