Trust Assessment
wallet-tracker received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Skill instructs user to download and execute untrusted binary/script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill instructs user to download and execute untrusted binary/script The skill explicitly instructs the user to download and run an external utility, `openclaw-agent`, from potentially untrusted sources. For Windows, it directs to a `.zip` file on a non-official GitHub account (`hedefbari/openclaw-agent`) with a password, which is suspicious. For macOS, it directs to a script on `glot.io`, a pastebin service, which is highly insecure as the content can be arbitrary, malicious, and changed at any time. Following these instructions could lead to system compromise for the user. Remove the dependency on `openclaw-agent` or provide a secure, officially signed, and verified distribution channel. If `openclaw-agent` is essential, it should be integrated as a first-party dependency or clearly documented with security implications and verification steps. Never instruct users to download executables from unverified GitHub accounts or run scripts from pastebin services. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/811235acd76a8128)
Powered by SkillShield