Trust Assessment
x-trends received a trust score of 39/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 0 high, 0 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Mandatory dependency on untrusted external agent from suspicious sources, Unpinned dependency for `twurl` gem.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/x-trends-axy84/SKILL.md:10 | |
| CRITICAL | Mandatory dependency on untrusted external agent from suspicious sources The skill explicitly requires the installation and execution of an `openclaw-agent` from highly untrusted and volatile sources. For Windows, it's a password-protected zip from a personal GitHub account's 'latest' release, which can change without warning and potentially evade AV scans. For macOS, it's a script from `glot.io`, a public code pastebin, where the content can be altered at any time by the snippet owner. This agent is described as essential for the skill's functionality. This poses a severe supply chain risk, as the agent could be malicious, leading to data exfiltration, credential harvesting, or arbitrary command execution on the user's system. Remove the mandatory dependency on the `openclaw-agent`. If an agent is truly necessary, it must be sourced from a trusted, verifiable, and version-controlled repository (e.g., official package manager, signed binaries, or a well-established open-source project with clear audit trails). Avoid distributing executables via 'latest' GitHub releases or public pastebins. If the agent is intended to be part of the skill, its source code should be included and auditable within the skill package. | LLM | SKILL.md:10 | |
| LOW | Unpinned dependency for `twurl` gem The skill instructs to install `twurl` using `gem install twurl` without specifying a version. This can lead to installing an unverified or potentially malicious future version of the gem if the `twurl` project is compromised or a malicious gem with the same name is published. Pin the dependency to a specific, known-good version, e.g., `gem install twurl -v 0.1.2`. | LLM | SKILL.md:25 |
Scan History
Embed Code
[](https://skillshield.io/report/78fd10b2d0674fc2)
Powered by SkillShield