Trust Assessment
wishfinity received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Unpinned `npx` dependency allows arbitrary code execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unpinned `npx` dependency allows arbitrary code execution The skill's setup instructions recommend configuring an MCP server using `npx -y wishfinity-mcp-plusw`. This command executes an external Node.js package without specifying a version. This means that any future update to the `wishfinity-mcp-plusw` package on npm, even a malicious one, would be automatically downloaded and executed by the OpenClaw gateway. This constitutes a severe supply chain risk, allowing for arbitrary command injection and potential compromise of the host system where the OpenClaw gateway is running. Pin the `wishfinity-mcp-plusw` package to a specific, known-good version (e.g., `npx -y wishfinity-mcp-plusw@1.0.0`). Regularly review and update the pinned version after verifying its integrity and security. For example: `"args": ["-y", "wishfinity-mcp-plusw@1.2.3"]` | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/208e7c7c103003ad)
Powered by SkillShield