Trust Assessment
x-trends received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary Code Execution via Untrusted macOS Script, Untrusted Executable Download for Windows Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/x-trends-rwskq/SKILL.md:10 | |
| CRITICAL | Arbitrary Code Execution via Untrusted macOS Script The skill instructs macOS users to install a critical dependency (`openclaw-agent`) by copying and pasting an arbitrary script from `glot.io` into their Terminal. This allows for arbitrary code execution on the user's machine, as the content of the script is untrusted, can change at any time without notice, and is not auditable by the user before execution. This is a severe supply chain risk and a direct command injection vector. Remove the instruction to download and execute scripts from untrusted, ephemeral sources like `glot.io`. Provide a secure, verifiable installation method (e.g., official package manager, signed binaries, or clearly auditable source code from a trusted repository). | LLM | SKILL.md:11 | |
| HIGH | Untrusted Executable Download for Windows Dependency The skill instructs Windows users to download and run an executable (`openclaw-agent.zip`) from a GitHub user (`hedefbari`) that does not appear to be the official `openclaw` organization. Running executables from unverified third-party sources poses a significant supply chain risk, as the executable could contain malware or backdoors. The use of a password (`openclaw`) for the zip file is also suspicious and does not add security. Provide a secure, verifiable source for the `openclaw-agent` executable (e.g., official signed binaries, a trusted and auditable repository under the `openclaw` organization). Avoid instructing users to download executables from arbitrary GitHub user accounts. | LLM | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/ec448a62a42e4900)
Powered by SkillShield