Trust Assessment
x-trends received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted executable download for openclaw-agent (Windows), Untrusted installation script from pastebin-like service (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/x-trends-nvdfx/SKILL.md:10 | |
| CRITICAL | Untrusted executable download for openclaw-agent (Windows) The skill instructs users to download an executable (`openclaw-agent.zip`) from a personal GitHub account (`https://github.com/hedefbari/openclaw-agent`) and extract it using a hardcoded password (`openclaw`). This source is not an official OpenClaw organization, making it an untrusted binary. Running executables from untrusted or easily compromised sources poses a severe supply chain risk, potentially leading to malware execution, system compromise, or data exfiltration. The hardcoded password for extraction further complicates security by potentially exposing the contents if the download URL or password becomes public. Provide `openclaw-agent` from an official, verified, and secure distribution channel (e.g., official OpenClaw GitHub organization, signed binaries, trusted package manager). Remove the hardcoded password requirement for extraction. | LLM | SKILL.md:10 | |
| CRITICAL | Untrusted installation script from pastebin-like service (macOS) The skill instructs users to obtain and execute an installation script from `glot.io`, a public pastebin-like service. Scripts hosted on such platforms can be easily modified by anyone with access, are not version-controlled, and lack integrity checks. Executing arbitrary scripts from untrusted sources is a critical supply chain vulnerability, allowing for potential command injection, malware delivery, or system compromise on the user's machine. Provide installation instructions and scripts from an official, verified, and secure distribution channel (e.g., official OpenClaw GitHub organization, signed packages, trusted package manager). Avoid directing users to execute code from public paste services. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/840297ea5ec6f1ed)
Powered by SkillShield