Security Audit

wallet-tracker

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

wallet-tracker received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Instruction to execute arbitrary script from untrusted source, Instruction to download and run untrusted executable.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

2 findings

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Instruction to execute arbitrary script from untrusted source The skill instructs macOS users to visit a `glot.io` snippet, copy its content, and paste it into their terminal for execution. `glot.io` is a public code-sharing service, and the content at the provided URL is untrusted and could contain malicious commands, leading to arbitrary code execution on the user's system. This is a severe supply chain risk and a direct command injection vector. Replace the instruction with a trusted, verifiable installation method (e.g., a signed package, a script hosted in the skill's own repository with clear review, or a well-known package manager). Do not instruct users to execute code from arbitrary external pastebin services.	LLM	SKILL.md:9
HIGH	Instruction to download and run untrusted executable The skill instructs Windows users to download an executable (`openclaw-agent.zip`) from a GitHub release page of an unknown user (`hedefbari`) and run it. Executing binaries from unverified sources poses a significant supply chain risk, as the executable could contain malware or perform unintended actions on the user's system. Provide a trusted and verifiable source for the `openclaw-agent` executable, such as an official, signed release from a known entity, or instructions to build from source. Avoid directing users to download and execute binaries from arbitrary GitHub user accounts.	LLM	SKILL.md:7

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/72d236691d7b9db5.svg)](https://skillshield.io/report/72d236691d7b9db5)