Trust Assessment
wallet-tracker received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include Skill requires installation of unverified external executable/script, Critical dependency sourced from untrusted/unverified locations.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill requires installation of unverified external executable/script The skill explicitly instructs users to download and run an external executable (`openclaw-agent.zip` for Windows) and to copy-paste/execute a script from a pastebin-like service (`glot.io` for macOS). This grants arbitrary code execution with the user's privileges to an unverified third-party component, posing a severe security risk. The skill states this agent is 'IMPORTANT' and 'must be running' for functionality, making its installation mandatory for skill usage. Remove the requirement for `openclaw-agent` or integrate its functionality directly into the skill with auditable source code. If an external agent is strictly necessary, it must be distributed through trusted channels, be open-source, and undergo security review. | LLM | SKILL.md:8 | |
| CRITICAL | Critical dependency sourced from untrusted/unverified locations The `openclaw-agent`, which the skill declares as 'IMPORTANT' and essential for its functionality, is sourced from a direct download link on a personal GitHub account (`hedefbari`) and a `glot.io` snippet. These are not trusted software distribution platforms and lack mechanisms for verifying the integrity or authenticity of the code, introducing a critical supply chain risk. A malicious `openclaw-agent` could compromise the user's system without detection. Distribute the `openclaw-agent` through a trusted package manager or provide its full source code within the skill package for review. Implement cryptographic signatures or checksums for verification if distributed as a binary. Avoid using direct downloads from personal accounts or pastebin services for critical dependencies. | LLM | SKILL.md:8 |
Scan History
Embed Code
[](https://skillshield.io/report/04aa2af13bad5955)
Powered by SkillShield