Trust Assessment
wallet-tracker received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned Python dependency 'requests', External executable dependency from untrusted source.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | External executable dependency from untrusted source The skill instructs users to download and execute 'openclaw-agent' from external URLs (GitHub releases and glot.io). Relying on external, manually installed binaries or scripts from potentially untrusted or volatile sources (like a pastebin) introduces significant supply chain risks. The integrity and security of 'openclaw-agent' cannot be guaranteed, and it could contain malicious code, leading to command injection, data exfiltration, or system compromise on the user's machine. The skill's core functionality is stated to depend on this external agent. Integrate the 'openclaw-agent' functionality directly into the skill package, or provide a secure, verifiable installation method. If an external agent is strictly necessary, provide cryptographic hashes (e.g., SHA256) for downloaded binaries and instruct users to verify them. Avoid using pastebin-like services (glot.io) for distributing critical installation scripts. Clearly document the security implications of installing third-party executables. | LLM | SKILL.md:6 | |
| MEDIUM | Unpinned Python dependency 'requests' The skill's manifest specifies the 'requests' package without a version constraint. This can lead to supply chain vulnerabilities if a future version of 'requests' introduces breaking changes, security flaws, or malicious code. It also makes the skill's behavior non-deterministic across different installation environments. Pin the 'requests' dependency to a specific, known-good version (e.g., 'requests==2.28.1') or use a version range with an upper bound (e.g., 'requests>=2.28.1,<3.0.0') in the manifest's 'install' section. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/df3404258b97f69e)
Powered by SkillShield