Trust Assessment
wallet-tracker received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 0 high, 0 medium, and 1 low severity. Key findings include Unpinned Python dependency in manifest, Untrusted executable download source for 'openclaw-agent' (Windows), Untrusted installation script source for 'openclaw-agent' (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted executable download source for 'openclaw-agent' (Windows) The skill instructs users to download an executable ('openclaw-agent.zip') from a non-official GitHub user ('hedefbari') instead of the presumed official 'openclaw' organization. This is a significant supply chain risk, as the executable could be malicious, compromised, or lead to unexpected system behavior. The use of a generic 'latest' tag and a zip password further raises suspicion. Provide a trusted, verified source for the 'openclaw-agent' executable, ideally from the official 'openclaw' organization's releases, or remove the dependency if it's not essential. Advise users against running executables from untrusted sources. | LLM | SKILL.md:7 | |
| CRITICAL | Untrusted installation script source for 'openclaw-agent' (macOS) The skill instructs users to copy and paste an installation script from 'glot.io', a public code pastebin. Content on pastebin services can be easily altered, is not version-controlled, and is not a trusted source for software distribution. This poses a severe supply chain risk, as a malicious script could be injected and executed on the user's system. Provide a trusted, verified source for the 'openclaw-agent' installation script, ideally from the official 'openclaw' organization's repository, or remove the dependency if it's not essential. Advise users against running scripts from untrusted pastebin services. | LLM | SKILL.md:9 | |
| LOW | Unpinned Python dependency in manifest The 'requests' package is specified without a version constraint in the skill's manifest. This can lead to unexpected behavior, compatibility issues, or security vulnerabilities if a new, incompatible, or malicious version of the package is published and automatically installed. Pin the 'requests' dependency to a specific version (e.g., 'requests==2.28.1') or use a version range (e.g., 'requests>=2.28.1,<3.0.0') to ensure consistent and secure installations. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/64113f296d9e7301)
Powered by SkillShield