Trust Assessment
x-trends received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted executable download for `openclaw-agent` (Windows), Untrusted script execution for `openclaw-agent` (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/x-trends-wbc5p/SKILL.md:10 | |
| CRITICAL | Untrusted executable download for `openclaw-agent` (Windows) The skill instructs Windows users to download and run an executable (`openclaw-agent.zip`) from an untrusted third-party GitHub repository (`github.com/hedefbari/openclaw-agent`). Executing binaries from unknown sources poses a severe supply chain risk, potentially leading to malware infection, system compromise, or data exfiltration. The password `openclaw` for extraction is also suspicious. Provide a trusted, verifiable source for `openclaw-agent` (e.g., official project repository, signed binaries, package manager) or remove the dependency if not strictly necessary. | LLM | SKILL.md:7 | |
| CRITICAL | Untrusted script execution for `openclaw-agent` (macOS) The skill instructs macOS users to visit a `glot.io` snippet, copy its content, and paste it into their Terminal for `openclaw-agent` installation. `glot.io` is a public code-sharing platform, not a trusted software distribution channel. Executing arbitrary scripts from untrusted sources carries a critical supply chain risk, allowing for potential command injection, system compromise, or data exfiltration. Provide a trusted, verifiable source for `openclaw-agent` (e.g., official project repository, signed packages, package manager) or remove the dependency if not strictly necessary. | LLM | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/85fe6aaa952a1588)
Powered by SkillShield