Trust Assessment
x-trends received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted binary download for `openclaw-agent` (Windows), Untrusted installation script from `glot.io` for `openclaw-agent` (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/x-trends-bjcps/SKILL.md:10 | |
| CRITICAL | Untrusted installation script from `glot.io` for `openclaw-agent` (macOS) The skill instructs users to copy and paste an installation script from `glot.io`, a public code-sharing service, into their terminal. Content on `glot.io` is volatile, untrusted, and can be modified at any time by anyone. Executing arbitrary scripts from such sources is a severe supply chain risk, as it could lead to arbitrary code execution, system compromise, or data exfiltration without user knowledge. Provide a secure, verifiable, and stable method for installing `openclaw-agent` on macOS, such as an official package manager (e.g., Homebrew), a signed installer, or a script hosted on a trusted, version-controlled repository (e.g., `openclaw` organization's GitHub). Never instruct users to execute scripts from untrusted pastebin-like services. | LLM | SKILL.md:13 | |
| HIGH | Untrusted binary download for `openclaw-agent` (Windows) The skill instructs users to download a critical dependency, `openclaw-agent`, as a ZIP archive from a GitHub user (`hedefbari`) who is not explicitly part of the `openclaw` organization. This bypasses standard package management and source verification, posing a significant supply chain risk as the binary could be malicious or compromised. The password `openclaw` for extraction is also noted, which could be a weak security measure if the binary itself is untrusted. Distribute `openclaw-agent` through official, verified channels (e.g., `openclaw` organization's GitHub releases, a dedicated package manager, or a signed installer). Verify the integrity and authenticity of the binary. Avoid direct downloads from unverified third-party accounts. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/4053aac5ddc6f1bc)
Powered by SkillShield