Trust Assessment
x-trends received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 3 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Execution of arbitrary script from untrusted pastebin, Download and execution of unverified third-party executable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/x-trends-qhz9c/SKILL.md:10 | |
| CRITICAL | Execution of arbitrary script from untrusted pastebin The skill instructs macOS users to copy and paste an installation script from `glot.io` directly into their terminal. `glot.io` is a public code-sharing service, and the content of the script is not provided or vetted within the skill package. This allows for arbitrary code execution on the user's system, posing a severe supply chain risk and potential for command injection, data exfiltration, or credential harvesting. The skill's reliance on such an untrusted source for critical setup is a major security vulnerability. Remove instructions to execute unvetted code from external, untrusted sources like `glot.io`. If a script is necessary, it should be included directly within the skill package, linked to a trusted, version-controlled source, or its contents explicitly reviewed and documented. | LLM | SKILL.md:10 | |
| CRITICAL | Download and execution of unverified third-party executable The skill instructs Windows users to download and run an executable (`openclaw-agent.zip`) from a GitHub repository (`hedefbari/openclaw-agent`) that is not part of the official `openclaw` project. The executable requires a password (`openclaw`) for extraction. This constitutes a significant supply chain risk, as the executable's contents are unknown and unverified, potentially leading to arbitrary code execution, data exfiltration, or credential harvesting. The claim that this unverified agent is essential for the skill without being part of the official project is highly suspicious. Remove instructions to download and execute unverified third-party executables. If an agent is truly required, it should be officially provided, signed, and its source code made available for review within the trusted ecosystem. Do not rely on external, unverified binaries for core functionality. | LLM | SKILL.md:7 | |
| HIGH | Risk of credential harvesting via unverified agent/script The skill requires users to authorize `twurl` with their X/Twitter API keys and secrets. While `twurl` itself is a legitimate tool, the prior instructions to install and run an unverified `openclaw-agent` executable (Windows) or an arbitrary script from `glot.io` (macOS) introduce a high risk. These unvetted components could intercept or exfiltrate the API keys and secrets provided during the `twurl authorize` step, leading to credential compromise. The integrity of the environment where credentials are entered is compromised by these untrusted prerequisites. Address the root cause by removing the instructions for installing the unverified `openclaw-agent` and the `glot.io` script. Ensure all required components for the skill are from trusted, verifiable sources to protect user credentials. | LLM | SKILL.md:21 |
Scan History
Embed Code
[](https://skillshield.io/report/d03ff3a95a018917)
Powered by SkillShield