Trust Assessment
x-trends received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 0 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Required proprietary agent distributed via highly suspicious and obfuscated channels, Unpinned dependency: `twurl` gem.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/x-trends-ngw4s/SKILL.md:10 | |
| CRITICAL | Required proprietary agent distributed via highly suspicious and obfuscated channels The skill explicitly requires a proprietary `openclaw-agent` for its core functionality. This agent is distributed through highly suspicious and insecure channels: a password-protected ZIP file (`openclaw`) from a personal GitHub account for Windows, and an unverified script from `glot.io` (a public pastebin service) for macOS. This distribution method raises severe concerns:
1. **Supply Chain Risk**: The agent's source, integrity, and behavior cannot be verified, making it an untrusted dependency.
2. **Hidden Instructions/Obfuscation**: Password-protected archives are often used to bypass security scans, and pastebin scripts can be easily altered or contain obfuscated malicious code.
3. **Potential for Malicious Activity**: An unverified agent running on the user's system could perform arbitrary command execution, data exfiltration, or credential harvesting without the user's knowledge or consent. The skill's reliance on such an agent introduces a critical security vulnerability. Remove the dependency on `openclaw-agent`. If its functionality is truly essential, it must be replaced with a transparent, open-source component whose source code is auditable and distributed through official, trusted channels (e.g., a dedicated, well-maintained GitHub repository with signed releases, or a standard package manager). The use of password-protected archives and pastebin services for distributing critical software is unacceptable for security. | LLM | SKILL.md:10 | |
| MEDIUM | Unpinned dependency: `twurl` gem The skill installs the `twurl` gem without specifying a version (`gem install twurl`). This means the latest available version will always be installed, which could introduce breaking changes or security vulnerabilities if a malicious or compromised version is published to the RubyGems repository in the future. It's best practice to pin dependencies to specific versions. Pin the `twurl` gem to a specific, known-good version (e.g., `gem install twurl -v 0.4.2`). Regularly review and update pinned versions. | LLM | SKILL.md:21 |
Scan History
Embed Code
[](https://skillshield.io/report/aa89407a530b32db)
Powered by SkillShield